Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2024, 06:36
Static task
static1
Behavioral task
behavioral1
Sample
84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
84e02b7e01c3cf953b300905a9865d81
-
SHA1
745c8957ada912a0272bbc3985ffa4b0eac3dc16
-
SHA256
156ea726a0ad6c8d77a5bdd4c7ed8581ea72bc77e3b3e011307e7fb706237c51
-
SHA512
4d2981693e05cfd559d53c2a97f7a68f8b03149cf9473c087f810ba8e73dffed5600f2b85964891f4ac303a0bbb986056900caf75de0ffa2f82c3a21fa2c1ad2
-
SSDEEP
49152:hOBcPtDsZ5CqzSD8ybRS3sYDoijJJADMnfknANKkgX25zPf2C397zS:hONZ5F
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\sdra64.exe," 6_ldry3no.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 1your_exe.exe -
Executes dropped EXE 10 IoCs
pid Process 2344 teste1_p.exe 948 q1.exe 3136 avto.exe 3280 6_ldry3no.exe 3488 5_odbnsy.exe 400 4_pinnew.exe 1648 2_load.exe 2400 1your_exe.exe 744 1269190981.exe 3520 1_barac.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 4_pinnew.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sdra64.exe 6_ldry3no.exe File created C:\Windows\SysWOW64\sdra64.exe 6_ldry3no.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process PID 744 set thread context of 0 744 1269190981.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 4484 1648 WerFault.exe 1936 2344 WerFault.exe 85 3380 3136 WerFault.exe 88 2576 948 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language teste1_p.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avto.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4_pinnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2_load.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1your_exe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1269190981.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6_ldry3no.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5_odbnsy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1_barac.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3280 6_ldry3no.exe 3280 6_ldry3no.exe 3280 6_ldry3no.exe 3280 6_ldry3no.exe 400 4_pinnew.exe 400 4_pinnew.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3280 6_ldry3no.exe Token: SeDebugPrivilege 400 4_pinnew.exe Token: SeIncBasePriorityPrivilege 2400 1your_exe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 744 1269190981.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3652 wrote to memory of 2344 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 85 PID 3652 wrote to memory of 2344 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 85 PID 3652 wrote to memory of 2344 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 85 PID 3652 wrote to memory of 948 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 87 PID 3652 wrote to memory of 948 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 87 PID 3652 wrote to memory of 948 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 87 PID 3652 wrote to memory of 3136 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 88 PID 3652 wrote to memory of 3136 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 88 PID 3652 wrote to memory of 3136 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 88 PID 3652 wrote to memory of 3280 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 89 PID 3652 wrote to memory of 3280 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 89 PID 3652 wrote to memory of 3280 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 89 PID 3652 wrote to memory of 3488 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 90 PID 3652 wrote to memory of 3488 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 90 PID 3652 wrote to memory of 3488 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 90 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3652 wrote to memory of 400 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 92 PID 3652 wrote to memory of 400 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 92 PID 3652 wrote to memory of 400 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 92 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3652 wrote to memory of 1648 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 94 PID 3652 wrote to memory of 1648 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 94 PID 3652 wrote to memory of 1648 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 94 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3652 wrote to memory of 2400 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 97 PID 3652 wrote to memory of 2400 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 97 PID 3652 wrote to memory of 2400 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 97 PID 3652 wrote to memory of 744 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 98 PID 3652 wrote to memory of 744 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 98 PID 3652 wrote to memory of 744 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 98 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3280 wrote to memory of 612 3280 6_ldry3no.exe 5 PID 3652 wrote to memory of 3520 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 102 PID 3652 wrote to memory of 3520 3652 84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe 102 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 4_pinnew.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Users\Admin\AppData\Local\Temp\84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\teste1_p.exe"C:\Users\Admin\AppData\Local\Temp\teste1_p.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 5763⤵
- Program crash
PID:1936
-
-
-
C:\Users\Admin\AppData\Local\Temp\q1.exe"C:\Users\Admin\AppData\Local\Temp\q1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 5883⤵
- Program crash
PID:2576
-
-
-
C:\Users\Admin\AppData\Local\Temp\avto.exe"C:\Users\Admin\AppData\Local\Temp\avto.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 5883⤵
- Program crash
PID:3380
-
-
-
C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe"C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280
-
-
C:\Users\Admin\AppData\Local\Temp\5_odbnsy.exe"C:\Users\Admin\AppData\Local\Temp\5_odbnsy.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe"C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:400
-
-
C:\Users\Admin\AppData\Local\Temp\2_load.exe"C:\Users\Admin\AppData\Local\Temp\2_load.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 5003⤵
- Program crash
PID:4484
-
-
-
C:\Users\Admin\AppData\Local\Temp\1your_exe.exe"C:\Users\Admin\AppData\Local\Temp\1your_exe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1YOUR_~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:4436
-
-
-
C:\Users\Admin\AppData\Local\Temp\1269190981.exe"C:\Users\Admin\AppData\Local\Temp\1269190981.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:744
-
-
C:\Users\Admin\AppData\Local\Temp\1_barac.exe"C:\Users\Admin\AppData\Local\Temp\1_barac.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3136 -ip 31361⤵PID:2924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2344 -ip 23441⤵PID:4576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 948 -ip 9481⤵PID:2388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1648 -ip 16481⤵PID:2896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3488 -ip 34881⤵PID:3356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125B
MD545a9a2084a44d18bd0f446d6855908e4
SHA12b00aab2d6fd2e8fe429facce198d7093559adf1
SHA2562ef87fbd5f3ec904bc116f3654421f4c53dc5438bbf36fa029dc8af8813f9646
SHA5125e5d0c962cfa6faffafd32e10d1e38d90e12c184ab77d72907108b98bf73bdee685300c44ffae937203c7f74ecb8110794b542a4c3ba4831c9b3bafc77dc4d84
-
Filesize
81KB
MD5a81cba51a8e0a4a46d2da44caeff63cd
SHA1fbcc341075298d95e9f4685556686380b621989c
SHA2563b671780d55eb7a8f7c3e57be194d23bc2946e39c4884296e14c5b6c81ac3ed3
SHA512eac61ab0d9d7a6b090e03b836c3ff4dc3e11578e08791ff41c1896345b156355c8cd59ee02af63c173eaf3473f6f735f3347da209bfd50fb790e381c689d8776
-
Filesize
42KB
MD569b74e9361667f788cf0f1af62e0ea75
SHA1313c0f205615de074111851c2cb1ea5bc38a2be8
SHA2565d6446096db3fe70e9e7f098b6bbf5bd0d1cdffbb8e487a91228ea0d9ced1c1a
SHA512a05bff03eea90379d02a07bd3dc77a7482ce5dc1cd609744c3559c4a75d361d87ad4a979f302d27c8ca94b47bf50ea72098115c1ac3860511219e3df1369b78a
-
Filesize
20KB
MD5f11699c753aa3b403ee810d14aaa8907
SHA14d7c6f7564b4aa20310499c8a9cf46aa3c65560c
SHA2567a2633419743680bc2f30216580effd93583b4f180538411aa8103e37c5dd533
SHA5121c97cf9f98bf1e8c0cfdc62a4f140e854dfccb8655a8a8ea6592ae42141f9b70da79ae27028eb05fc41617b10fac56ef4cc3bde0574de8dbb4cd6f4be784639e
-
Filesize
16KB
MD5eab0da403a9f596485b4c231f24e41ab
SHA1384c06c067e7b66935c2dba44d77ab5b2ce4b2e5
SHA25600fdc28881dae4748fbc7f0daecf8907128deb351d1d28950b66f7ad4fa83837
SHA5126fae3390e77303f4318778d95105e06b98b5a910a38fb85db937129947f1b98f01ed9d9156b88a18e01ca1eec0a7ac6232aadfeb8f7ff4044bac55d64f588884
-
Filesize
39KB
MD5254363c5bc75c63a6f9fdae5aec17aa1
SHA12e3e3d74212fe3c91407bf059794a65417018a8c
SHA256061908d8a76056698270a0f47089cfd5a246bec8494ebd2ca0a2d278fd790a20
SHA5120f2b5d5ca694c2d768f43ae68adb515cdb06382282c2bea08fd2bd1cafe924f0ef4e4f20800ef5e413292b1bc29a3e5c1316c64503ee23beb2e54ded4e4b8d5e
-
Filesize
279KB
MD546399ada349010e0945d6a8ba69137d3
SHA1468efa26f445d54ba703501109159f7d85a2df51
SHA2564b1f59a3c47e015ef50f5092539e40ffa92b5ccae88dbfec828d0d9414c33af0
SHA512ecc847376426d21b6f610e2427578edc9e5a8e0082579a6e7b8b2b493b6904661236b47533533064020e2aca63ecc2d1e35539a5b252f7e3cfce19c2ff3a2383
-
Filesize
82KB
MD5bfc08d0dcdf0b6af01079c736be73b5e
SHA1967c84e54168256e2ad7bb78cc35c8e7e9d5767b
SHA256d57cff8fd945721b53c59cee9f97a69d5f6d3fb346ca0fb7066e5a740b252a3a
SHA512cb46c1e52f8b13c416c52e41b1f26a29cb48bce461675916c109d1f43043c9dc082431644bab94b4d0f0203b88062d06baaa7c016785a5586132bc4264f9b0ee
-
Filesize
274KB
MD599dae998144126e8774b6e57497e1930
SHA134aed0238c911e5e9475822aec31d545ae1961e1
SHA25681bff218030142ace3a8f4dcf9ff14f96fddccd6c821aff45798e1701b69e991
SHA51233f3cd28ca48a0466093ce44b137097a86fe5eb499424a244db0504cad1ee95196a56c40281d2c960fa6cd4f2d65cbd4f92411ef0c582ed8d1c210726b213a56
-
Filesize
278KB
MD5406b63d114199ce9930bfc4a1a6b60dc
SHA1babf4ee8226b7625cdf19a04c05ad4460bc3bd14
SHA256a00aea2e9ada85124b140d294d87c1ae326eec4527f7fa65861d1b468a5c02da
SHA512c1297a85b9b8afd2058486a7df0683a104f1087bedb6c3b67f1f33a7c2395dbe9f35b01a1a6684f50db675f6555fd391b172cfbc641373e563d2ca04a0ee50b4
-
Filesize
334KB
MD58d9e5086a4aace8642feecff39a5eeb0
SHA17ab655ded632b658847666666464fc337ff5deb2
SHA2567eb7190ff9c33ce5db5b7df8dba33571c1347e865e66c7212c661c4b3e4af3f3
SHA512ec60672593e7e05c51cc4fca258250eeaaba789c42fdbc5a948642e1776434f18badc0cc650fc7e62f60cf89e00d3134c302316425e20e41b3252352b43ff9fd