Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 12:24

General

  • Target

    8303224aaa5db71190160308fe80deed_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    8303224aaa5db71190160308fe80deed

  • SHA1

    e7e564710c65e2c53a40b640cc84e5b1106bc7a5

  • SHA256

    665eb5f535fb0f782e2484a043c69bd500d0ff305571554dde5969588d57a9ca

  • SHA512

    25c4a05987e85f3f12614cd0dcca5966bf3d62df3e886355e4dd77006700f6801ad3b5f8eb580886e617c64f3a7e637a712c5c12c9efcf0d047248067dc18ac1

  • SSDEEP

    24576:LO9GZX4vQR81GdMjdB3FYB+ljNhyxtzSgir7dwN3:LO9zk1dIyN

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xavzurb.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF5E3.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2780
    • C:\Users\Admin\AppData\Roaming\ctfmon.exe
      C:\Users\Admin\AppData\Roaming\ctfmon.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2664

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\4xavzurb.dll

          Filesize

          5KB

          MD5

          1b582355a571c1e18da584d78600be64

          SHA1

          143b8227eb9aeba18e905a0051c923c03572db9b

          SHA256

          0c5a111bc81a948fb8fa80bf8f831655b45c0dab8b82687b40e68cb8077399b8

          SHA512

          417c70e3134effa0b2e0466fac5ceafbf71ca9482e369137732da05d8c2d64e250c745b7c83922d6d677a83c78c280bb7d98c657fb159ea7571bbb3484bf9a53

        • C:\Users\Admin\AppData\Local\Temp\RESF5E4.tmp

          Filesize

          1KB

          MD5

          4bd860abfa72107a70d7a4d3903cbaeb

          SHA1

          5c23c19e46c1c272d2c1ea6b1d2d78a9ac1fbadc

          SHA256

          441c8d8439bdb51c829a535bd797c8756b19f0dc95818844d231c064a3523c13

          SHA512

          958ddb47edc119142beb28f25dfb3b0bf153b307e03ba39d682cde7180322f6c9472cf93c05e051793eced83e8356cc1215811864de0d45aa9ccc09f72fa0d09

        • C:\Users\Admin\AppData\Roaming\ctfmon.exe

          Filesize

          20KB

          MD5

          e32cdc2a701efc0c43ba95d99bcf9e32

          SHA1

          2b293b5c64fabea0e7b4c23e519829ce3fc2da0e

          SHA256

          da79b35907e16d73c73fdcef017a79cf78091a4b3daeb7834cb72783d8b79e0e

          SHA512

          7cf10ce268bacef2a222ecd1b4cacf7c99d40175cb754f1dbb4db18977e84831654666265498a895b27d3954bb9905277f2420f07c273051a6e6c59988c141c6

        • \??\c:\Users\Admin\AppData\Local\Temp\4xavzurb.0.cs

          Filesize

          4KB

          MD5

          2216d197bc442e875016eba15c07a937

          SHA1

          37528e21ea3271b85d276c6bd003e6c60c81545d

          SHA256

          2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af

          SHA512

          7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

        • \??\c:\Users\Admin\AppData\Local\Temp\4xavzurb.cmdline

          Filesize

          206B

          MD5

          75e249519e1942172ca77381b71dcf93

          SHA1

          bdef99d25d60059c1768a3a5fb43bd9b7c045664

          SHA256

          2969546ead7e1b81f57c03bc4ebee0dee0bb0191eedbc80709c996525beb29ad

          SHA512

          073e03fc6d107bb08db06e0230fc0c11ee2ee6d5abb034ff27eb29626f3a85fd4d7e819d5836a22b603fba7c5a13a92d092b007f69ea6f394cc3e1dc915daa95

        • \??\c:\Users\Admin\AppData\Local\Temp\CSCF5E3.tmp

          Filesize

          652B

          MD5

          4080c61ae44490976eaa94f11f2e9de0

          SHA1

          1a536aec4723fb9bfea9919beb712cc845182c15

          SHA256

          a7fbb0d557a808ed977d09b8914f2387a2a23e65c93c5e00792e90bc27881d78

          SHA512

          5efe09c3edfae3acea1f7dcf81d6fb8a3b90f13efdf239d60cd5e3841a5efd2b7812a68f80b79d1c3d097c0f111ae9a8309d20679218c97c4dde145a69f8a042

        • memory/2384-1-0x0000000074A20000-0x0000000074FCB000-memory.dmp

          Filesize

          5.7MB

        • memory/2384-2-0x0000000074A20000-0x0000000074FCB000-memory.dmp

          Filesize

          5.7MB

        • memory/2384-46-0x0000000074A20000-0x0000000074FCB000-memory.dmp

          Filesize

          5.7MB

        • memory/2384-0-0x0000000074A21000-0x0000000074A22000-memory.dmp

          Filesize

          4KB

        • memory/2664-33-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/2664-40-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/2664-41-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/2664-37-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/2664-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2664-31-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/2664-29-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/2664-27-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/2664-25-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/2664-44-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/2744-16-0x0000000074A20000-0x0000000074FCB000-memory.dmp

          Filesize

          5.7MB

        • memory/2744-9-0x0000000074A20000-0x0000000074FCB000-memory.dmp

          Filesize

          5.7MB