Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 12:24

General

  • Target

    8303224aaa5db71190160308fe80deed_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    8303224aaa5db71190160308fe80deed

  • SHA1

    e7e564710c65e2c53a40b640cc84e5b1106bc7a5

  • SHA256

    665eb5f535fb0f782e2484a043c69bd500d0ff305571554dde5969588d57a9ca

  • SHA512

    25c4a05987e85f3f12614cd0dcca5966bf3d62df3e886355e4dd77006700f6801ad3b5f8eb580886e617c64f3a7e637a712c5c12c9efcf0d047248067dc18ac1

  • SSDEEP

    24576:LO9GZX4vQR81GdMjdB3FYB+ljNhyxtzSgir7dwN3:LO9zk1dIyN

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p8rgmf_7.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA336.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA335.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1524
    • C:\Users\Admin\AppData\Roaming\ctfmon.exe
      C:\Users\Admin\AppData\Roaming\ctfmon.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3532

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RESA336.tmp

          Filesize

          1KB

          MD5

          28a0995f7c2b0c3675cc827790773dc8

          SHA1

          765c7cc577c12ce8df1e4ee88c11627481e18eb3

          SHA256

          4fa0e119c99a780bc87eea3cc3dd37a7f5ffc7301f53b3069ea15e7b20545acb

          SHA512

          d06994e0220ff34c3e21716f7e289b113845004d29d0cc73b6c65bb4b6c3c3c97f079652310eaa542097aa20aec7a3d7dfb9a028faad95534d9c2b07e7a34e4e

        • C:\Users\Admin\AppData\Local\Temp\p8rgmf_7.dll

          Filesize

          5KB

          MD5

          30dafadade8850dcb3218fe9133aff95

          SHA1

          5218b9eb01f290934b8ba931722a87aa63b5f586

          SHA256

          8ed9f75bd8196681462b42c1a08264dc50a0fa515df6a0822e0ca6f93c9d657b

          SHA512

          aca7aabb3555aaafcaa58702db98ee4f31baf1a48562ff80945b385827e9f86b2423c8e53856429eb3d14750e2f4b74f85daa2a907d27f755bd974df72e314fe

        • C:\Users\Admin\AppData\Roaming\ctfmon.exe

          Filesize

          20KB

          MD5

          e32cdc2a701efc0c43ba95d99bcf9e32

          SHA1

          2b293b5c64fabea0e7b4c23e519829ce3fc2da0e

          SHA256

          da79b35907e16d73c73fdcef017a79cf78091a4b3daeb7834cb72783d8b79e0e

          SHA512

          7cf10ce268bacef2a222ecd1b4cacf7c99d40175cb754f1dbb4db18977e84831654666265498a895b27d3954bb9905277f2420f07c273051a6e6c59988c141c6

        • \??\c:\Users\Admin\AppData\Local\Temp\CSCA335.tmp

          Filesize

          652B

          MD5

          c07aaa3881e69bce52aa21297480d6e0

          SHA1

          043ce3f67cc38909bbc9983de4b4a0e7ac9def1b

          SHA256

          9b4d1d48fb580afa59d299eaaaee605d113f8bafa93b8fce5f52bad5450bd298

          SHA512

          5708b180c6a4b1bcedc569f611bc254062bd6e7aa66600fc7eb35fa03568cd981d1cdcff9276b379978926c126747e495653dcd065a3fd552239b40989decedf

        • \??\c:\Users\Admin\AppData\Local\Temp\p8rgmf_7.0.cs

          Filesize

          4KB

          MD5

          2216d197bc442e875016eba15c07a937

          SHA1

          37528e21ea3271b85d276c6bd003e6c60c81545d

          SHA256

          2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af

          SHA512

          7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

        • \??\c:\Users\Admin\AppData\Local\Temp\p8rgmf_7.cmdline

          Filesize

          206B

          MD5

          87a5ac72919fa975d063abe109e2fe41

          SHA1

          08ef8ba471b330866f2fd1ac26b9c0168521b3a9

          SHA256

          0b6c7ddbbaea6dbcf3d0a2de0db82a51f3cea54fe6f6e1878c314d43c1ed78df

          SHA512

          8f951f519970c701d7c3f883a216930fae4386cfb5b74c911ccbe986ce779b10094e1be6bfc9ad8bda46cb85fa5b7b8c44dd14ea972e0bcfd3d31fe0c33590a5

        • memory/1284-9-0x0000000074A60000-0x0000000075011000-memory.dmp

          Filesize

          5.7MB

        • memory/1284-16-0x0000000074A60000-0x0000000075011000-memory.dmp

          Filesize

          5.7MB

        • memory/2096-0-0x0000000074A62000-0x0000000074A63000-memory.dmp

          Filesize

          4KB

        • memory/2096-2-0x0000000074A60000-0x0000000075011000-memory.dmp

          Filesize

          5.7MB

        • memory/2096-1-0x0000000074A60000-0x0000000075011000-memory.dmp

          Filesize

          5.7MB

        • memory/2096-26-0x0000000074A60000-0x0000000075011000-memory.dmp

          Filesize

          5.7MB

        • memory/3532-20-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/3532-25-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/3532-27-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/3532-30-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB