Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 12:24
Static task
static1
Behavioral task
behavioral1
Sample
8303224aaa5db71190160308fe80deed_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8303224aaa5db71190160308fe80deed_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8303224aaa5db71190160308fe80deed_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
8303224aaa5db71190160308fe80deed
-
SHA1
e7e564710c65e2c53a40b640cc84e5b1106bc7a5
-
SHA256
665eb5f535fb0f782e2484a043c69bd500d0ff305571554dde5969588d57a9ca
-
SHA512
25c4a05987e85f3f12614cd0dcca5966bf3d62df3e886355e4dd77006700f6801ad3b5f8eb580886e617c64f3a7e637a712c5c12c9efcf0d047248067dc18ac1
-
SSDEEP
24576:LO9GZX4vQR81GdMjdB3FYB+ljNhyxtzSgir7dwN3:LO9zk1dIyN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3532 ctfmon.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2096 set thread context of 3532 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2096 wrote to memory of 1284 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 85 PID 2096 wrote to memory of 1284 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 85 PID 2096 wrote to memory of 1284 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 85 PID 1284 wrote to memory of 1524 1284 csc.exe 88 PID 1284 wrote to memory of 1524 1284 csc.exe 88 PID 1284 wrote to memory of 1524 1284 csc.exe 88 PID 2096 wrote to memory of 3532 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 89 PID 2096 wrote to memory of 3532 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 89 PID 2096 wrote to memory of 3532 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 89 PID 2096 wrote to memory of 3532 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 89 PID 2096 wrote to memory of 3532 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 89 PID 2096 wrote to memory of 3532 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 89 PID 2096 wrote to memory of 3532 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 89 PID 2096 wrote to memory of 3532 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 89 PID 2096 wrote to memory of 3532 2096 8303224aaa5db71190160308fe80deed_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p8rgmf_7.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA336.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA335.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1524
-
-
-
C:\Users\Admin\AppData\Roaming\ctfmon.exeC:\Users\Admin\AppData\Roaming\ctfmon.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD528a0995f7c2b0c3675cc827790773dc8
SHA1765c7cc577c12ce8df1e4ee88c11627481e18eb3
SHA2564fa0e119c99a780bc87eea3cc3dd37a7f5ffc7301f53b3069ea15e7b20545acb
SHA512d06994e0220ff34c3e21716f7e289b113845004d29d0cc73b6c65bb4b6c3c3c97f079652310eaa542097aa20aec7a3d7dfb9a028faad95534d9c2b07e7a34e4e
-
Filesize
5KB
MD530dafadade8850dcb3218fe9133aff95
SHA15218b9eb01f290934b8ba931722a87aa63b5f586
SHA2568ed9f75bd8196681462b42c1a08264dc50a0fa515df6a0822e0ca6f93c9d657b
SHA512aca7aabb3555aaafcaa58702db98ee4f31baf1a48562ff80945b385827e9f86b2423c8e53856429eb3d14750e2f4b74f85daa2a907d27f755bd974df72e314fe
-
Filesize
20KB
MD5e32cdc2a701efc0c43ba95d99bcf9e32
SHA12b293b5c64fabea0e7b4c23e519829ce3fc2da0e
SHA256da79b35907e16d73c73fdcef017a79cf78091a4b3daeb7834cb72783d8b79e0e
SHA5127cf10ce268bacef2a222ecd1b4cacf7c99d40175cb754f1dbb4db18977e84831654666265498a895b27d3954bb9905277f2420f07c273051a6e6c59988c141c6
-
Filesize
652B
MD5c07aaa3881e69bce52aa21297480d6e0
SHA1043ce3f67cc38909bbc9983de4b4a0e7ac9def1b
SHA2569b4d1d48fb580afa59d299eaaaee605d113f8bafa93b8fce5f52bad5450bd298
SHA5125708b180c6a4b1bcedc569f611bc254062bd6e7aa66600fc7eb35fa03568cd981d1cdcff9276b379978926c126747e495653dcd065a3fd552239b40989decedf
-
Filesize
4KB
MD52216d197bc442e875016eba15c07a937
SHA137528e21ea3271b85d276c6bd003e6c60c81545d
SHA2562e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af
SHA5127d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f
-
Filesize
206B
MD587a5ac72919fa975d063abe109e2fe41
SHA108ef8ba471b330866f2fd1ac26b9c0168521b3a9
SHA2560b6c7ddbbaea6dbcf3d0a2de0db82a51f3cea54fe6f6e1878c314d43c1ed78df
SHA5128f951f519970c701d7c3f883a216930fae4386cfb5b74c911ccbe986ce779b10094e1be6bfc9ad8bda46cb85fa5b7b8c44dd14ea972e0bcfd3d31fe0c33590a5