Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 12:24
Static task
static1
Behavioral task
behavioral1
Sample
8303224aaa5db71190160308fe80deed_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8303224aaa5db71190160308fe80deed_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8303224aaa5db71190160308fe80deed_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
8303224aaa5db71190160308fe80deed
-
SHA1
e7e564710c65e2c53a40b640cc84e5b1106bc7a5
-
SHA256
665eb5f535fb0f782e2484a043c69bd500d0ff305571554dde5969588d57a9ca
-
SHA512
25c4a05987e85f3f12614cd0dcca5966bf3d62df3e886355e4dd77006700f6801ad3b5f8eb580886e617c64f3a7e637a712c5c12c9efcf0d047248067dc18ac1
-
SSDEEP
24576:LO9GZX4vQR81GdMjdB3FYB+ljNhyxtzSgir7dwN3:LO9zk1dIyN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2664 ctfmon.exe -
Loads dropped DLL 2 IoCs
pid Process 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2384 set thread context of 2664 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2744 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2744 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2744 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2744 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 30 PID 2744 wrote to memory of 2780 2744 csc.exe 32 PID 2744 wrote to memory of 2780 2744 csc.exe 32 PID 2744 wrote to memory of 2780 2744 csc.exe 32 PID 2744 wrote to memory of 2780 2744 csc.exe 32 PID 2384 wrote to memory of 2664 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2664 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2664 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2664 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2664 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2664 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2664 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2664 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2664 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 33 PID 2384 wrote to memory of 2664 2384 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xavzurb.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF5E3.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
-
C:\Users\Admin\AppData\Roaming\ctfmon.exeC:\Users\Admin\AppData\Roaming\ctfmon.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD51b582355a571c1e18da584d78600be64
SHA1143b8227eb9aeba18e905a0051c923c03572db9b
SHA2560c5a111bc81a948fb8fa80bf8f831655b45c0dab8b82687b40e68cb8077399b8
SHA512417c70e3134effa0b2e0466fac5ceafbf71ca9482e369137732da05d8c2d64e250c745b7c83922d6d677a83c78c280bb7d98c657fb159ea7571bbb3484bf9a53
-
Filesize
1KB
MD54bd860abfa72107a70d7a4d3903cbaeb
SHA15c23c19e46c1c272d2c1ea6b1d2d78a9ac1fbadc
SHA256441c8d8439bdb51c829a535bd797c8756b19f0dc95818844d231c064a3523c13
SHA512958ddb47edc119142beb28f25dfb3b0bf153b307e03ba39d682cde7180322f6c9472cf93c05e051793eced83e8356cc1215811864de0d45aa9ccc09f72fa0d09
-
Filesize
20KB
MD5e32cdc2a701efc0c43ba95d99bcf9e32
SHA12b293b5c64fabea0e7b4c23e519829ce3fc2da0e
SHA256da79b35907e16d73c73fdcef017a79cf78091a4b3daeb7834cb72783d8b79e0e
SHA5127cf10ce268bacef2a222ecd1b4cacf7c99d40175cb754f1dbb4db18977e84831654666265498a895b27d3954bb9905277f2420f07c273051a6e6c59988c141c6
-
Filesize
4KB
MD52216d197bc442e875016eba15c07a937
SHA137528e21ea3271b85d276c6bd003e6c60c81545d
SHA2562e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af
SHA5127d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f
-
Filesize
206B
MD575e249519e1942172ca77381b71dcf93
SHA1bdef99d25d60059c1768a3a5fb43bd9b7c045664
SHA2562969546ead7e1b81f57c03bc4ebee0dee0bb0191eedbc80709c996525beb29ad
SHA512073e03fc6d107bb08db06e0230fc0c11ee2ee6d5abb034ff27eb29626f3a85fd4d7e819d5836a22b603fba7c5a13a92d092b007f69ea6f394cc3e1dc915daa95
-
Filesize
652B
MD54080c61ae44490976eaa94f11f2e9de0
SHA11a536aec4723fb9bfea9919beb712cc845182c15
SHA256a7fbb0d557a808ed977d09b8914f2387a2a23e65c93c5e00792e90bc27881d78
SHA5125efe09c3edfae3acea1f7dcf81d6fb8a3b90f13efdf239d60cd5e3841a5efd2b7812a68f80b79d1c3d097c0f111ae9a8309d20679218c97c4dde145a69f8a042