Analysis

  • max time kernel
    140s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 08:24

General

  • Target

    8272a93c42b422dc3b6a8e7853e31b0f_JaffaCakes118.exe

  • Size

    257KB

  • MD5

    8272a93c42b422dc3b6a8e7853e31b0f

  • SHA1

    d927957e8e01719b6785c36ffbe7f6e93fdcc13a

  • SHA256

    61c06d1d999ca202d0ed8cbd5261edf9f5b2cc73c5991b0ff0e982f1e265b7c8

  • SHA512

    367162dbdea4db6c1bd7d83ca4070a848733f22463b4331700a2d9d5921bcc8b949a499bb56d2dbf4d97bc22ac757d719a23e4724af67b4459ab2c3a1c443599

  • SSDEEP

    6144:91OgDPdkBAFZWjadD4sZQE4igPHn3+ekzf6kIs:91OgLdaYQE4igfnOekzf6/s

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 4 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8272a93c42b422dc3b6a8e7853e31b0f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8272a93c42b422dc3b6a8e7853e31b0f_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\setup.exe
      .\setup.exe /s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • System policy modification
      PID:1384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\wxDfast\uninstall.exe

    Filesize

    48KB

    MD5

    a724dac649142fef71fe4b529684e969

    SHA1

    e2878e84886ec53a1332ad969a825062526b5cd4

    SHA256

    b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc

    SHA512

    9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3

  • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\[email protected]\bootstrap.js

    Filesize

    2KB

    MD5

    b9165e81934c746e3a33afc6bde86143

    SHA1

    ce38f37d26d5fa6309f4d42cbf470bc4a884b100

    SHA256

    3edbe3448cc74e7862db06fb08a8250c044a6aadbbea35a365560080eaaa3624

    SHA512

    fab8731e561554bf3ac4a32950a4111d3bca7d9223727ed6eccca598777bd697606a11f658eae3d28f6dae16faf40fda7387d0e25cd8f3cb750c871f77178bc8

  • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\[email protected]\chrome.manifest

    Filesize

    116B

    MD5

    0ca64f11fed23c3ce65c9dc952da06bf

    SHA1

    677f5f8af8c9f468a80181162c95b8abc22c78ac

    SHA256

    241f3c8403ff5d271f71c0926882891d0287ac3bb9d4a476a12d2be944d037fd

    SHA512

    4b7f81546d725506e6e20aca0c3683ef9dba5d0a744343b7d5210d75f9bb7e54197b81d9a1dfc5cc3931452bb8c6ab1c7479e789e90d7d64c558f85b7862644a

  • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\[email protected]\content\bg.js

    Filesize

    8KB

    MD5

    7dd84f7f1a3ed50df2c4e6491b4ce7f2

    SHA1

    708805d2173036cd1acdcb912d047f87b6c35f1e

    SHA256

    0a78a54937c495b0f983533464d0f1f03620548bc17aeb7f0319ad9f28ebb741

    SHA512

    a8b3aeb734383680492b98d409190d8aacf9348afd411244bec5c16045c9f8ea1dedd508d42b8828f8633c3dd7f14d994624b0e80db0b59a3f7f9754014fd9e2

  • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\[email protected]\content\zy.xul

    Filesize

    225B

    MD5

    8451a9bde3f167f02a0bede5f6018bb0

    SHA1

    3e624cd0961b6be15d0a5d8aa559dc3ead4c9f0e

    SHA256

    cf96455ab3b4cd39dc055db6d58829fe7af76baee9f12ab700c125be54975ea0

    SHA512

    93cd44faa2a3ab11c32c6636a99d4a83f0ec5d1c40a3ba6cd71c0fcf29df42e82272be0c9b5a8991c6af9254243d10416603f1ab9eba5ebc2326f7ec7583791f

  • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\[email protected]\install.rdf

    Filesize

    714B

    MD5

    129368a461cbe89347149b661fec1cd7

    SHA1

    2460db6ffeeaf64e6d2386d7efe8a7d1ad7b5ba1

    SHA256

    95944f5393f755ad79874208553a5752ce892aacf27298102cbcaa9857a8d1a2

    SHA512

    ec808fbc14567cd6df43a79af5cfab35180b69d45b31dd84562348df2c820e2f70ffa7ee80a9a7f9b9d8f708ce2daa2b450389f150088a56fb89efa8cc98b0ce

  • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\background.html

    Filesize

    4KB

    MD5

    83a5cb4d9a6052a9e6a8baa1338e6332

    SHA1

    8646868104d42e11aca12da5893894d94413a6dd

    SHA256

    16d5cd9125638a24ae52e23de1687e53c558540992e6d50219370cce9970e910

    SHA512

    1080c578972fc59f89c61e532a9ffb35796a76e8062caa44fcd8107bfe69d9ecb70b4877c750aed2c6fa4bca5a17a25f9cacf0a69eb13308bbc3c27eb4663630

  • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\bhoclass.dll

    Filesize

    164KB

    MD5

    474a025909c75c607905b9e2cae8a56f

    SHA1

    83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e

    SHA256

    25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f

    SHA512

    29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1

  • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\content.js

    Filesize

    387B

    MD5

    4497e405e5f82116e181ecd7869f4eff

    SHA1

    40171e9e00c6a2e46e576b5dabff170789ebbe3f

    SHA256

    6454f2102569d06068decada3500355149e9e1637e6d83cb1d866ef1e9d455e3

    SHA512

    e1c2897c91fbf3f3cc47a2af28506e33c31af37e1cf98d2f129de237c687924f5bcf9f540ce777c201821afd8c381ad58dcb91bd354b02b75ec0e0ac8f2a5df8

  • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\hojnehchbehcflfbgdjhlaodnjfglmeg.crx

    Filesize

    3KB

    MD5

    11bba9cb60372058319fb645a4a7f4a8

    SHA1

    46a9162e55326c5752822c45ddcbc59358bb61c8

    SHA256

    c957b342733a61a4efbb78da5d1e1cda8cdd7e78cdd717274643a2e2f24a2a74

    SHA512

    16aafd3ce1b14b513595629f9424a8000374e31ca84b8e1ed1cdd7a35da06418b7f98748fd920ea1385f638fb6d6826b20f2884e6b9f6f94a07fcc36ff24cb3c

  • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\settings.ini

    Filesize

    892B

    MD5

    2b5eb8f91dced9637a33bb68ad22f8a9

    SHA1

    9a96700140b9831f060af99cee0e12954ffd0c72

    SHA256

    ca411274296ee6083aecd82fd188f522ccf75c8493b335dfb4302ee7f77a00aa

    SHA512

    b24a518a785c73950dcfb8d05020bb04b26fea6ba600c8f6a5e732e57d66db5ad1dfb874f1415ddbb08bf6d6e426cb9f196227ef00dff0a7b945df24d28fc1b7

  • C:\Users\Admin\AppData\Local\Temp\7zS78D9.tmp\setup.exe

    Filesize

    65KB

    MD5

    4ccf1a317aa8539c857835e4ebe9c806

    SHA1

    223b73d09d7398f40aff3ccc569e66cae3886ee9

    SHA256

    4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242

    SHA512

    ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

  • C:\Users\Admin\AppData\Local\Temp\nsa7A13.tmp\UserInfo.dll

    Filesize

    4KB

    MD5

    7579ade7ae1747a31960a228ce02e666

    SHA1

    8ec8571a296737e819dcf86353a43fcf8ec63351

    SHA256

    564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

    SHA512

    a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b