Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/11/2024, 06:36

General

  • Target

    84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    84e02b7e01c3cf953b300905a9865d81

  • SHA1

    745c8957ada912a0272bbc3985ffa4b0eac3dc16

  • SHA256

    156ea726a0ad6c8d77a5bdd4c7ed8581ea72bc77e3b3e011307e7fb706237c51

  • SHA512

    4d2981693e05cfd559d53c2a97f7a68f8b03149cf9473c087f810ba8e73dffed5600f2b85964891f4ac303a0bbb986056900caf75de0ffa2f82c3a21fa2c1ad2

  • SSDEEP

    49152:hOBcPtDsZ5CqzSD8ybRS3sYDoijJJADMnfknANKkgX25zPf2C397zS:hONZ5F

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
    • C:\Users\Admin\AppData\Local\Temp\84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\84e02b7e01c3cf953b300905a9865d81_JaffaCakes118.exe"
      1⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Users\Admin\AppData\Local\Temp\teste1_p.exe
        "C:\Users\Admin\AppData\Local\Temp\teste1_p.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2344
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 576
          3⤵
          • Program crash
          PID:1936
      • C:\Users\Admin\AppData\Local\Temp\q1.exe
        "C:\Users\Admin\AppData\Local\Temp\q1.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:948
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 588
          3⤵
          • Program crash
          PID:2576
      • C:\Users\Admin\AppData\Local\Temp\avto.exe
        "C:\Users\Admin\AppData\Local\Temp\avto.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3136
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 588
          3⤵
          • Program crash
          PID:3380
      • C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe
        "C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3280
      • C:\Users\Admin\AppData\Local\Temp\5_odbnsy.exe
        "C:\Users\Admin\AppData\Local\Temp\5_odbnsy.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3488
      • C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe
        "C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe"
        2⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_win_path
        PID:400
      • C:\Users\Admin\AppData\Local\Temp\2_load.exe
        "C:\Users\Admin\AppData\Local\Temp\2_load.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 500
          3⤵
          • Program crash
          PID:4484
      • C:\Users\Admin\AppData\Local\Temp\1your_exe.exe
        "C:\Users\Admin\AppData\Local\Temp\1your_exe.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2400
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1YOUR_~1.EXE > nul
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4436
      • C:\Users\Admin\AppData\Local\Temp\1269190981.exe
        "C:\Users\Admin\AppData\Local\Temp\1269190981.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:744
      • C:\Users\Admin\AppData\Local\Temp\1_barac.exe
        "C:\Users\Admin\AppData\Local\Temp\1_barac.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3136 -ip 3136
      1⤵
        PID:2924
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2344 -ip 2344
        1⤵
          PID:4576
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 948 -ip 948
          1⤵
            PID:2388
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1648 -ip 1648
            1⤵
              PID:2896
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3488 -ip 3488
              1⤵
                PID:3356

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HA5FC889\iolylzjjg[1].htm

                      Filesize

                      125B

                      MD5

                      45a9a2084a44d18bd0f446d6855908e4

                      SHA1

                      2b00aab2d6fd2e8fe429facce198d7093559adf1

                      SHA256

                      2ef87fbd5f3ec904bc116f3654421f4c53dc5438bbf36fa029dc8af8813f9646

                      SHA512

                      5e5d0c962cfa6faffafd32e10d1e38d90e12c184ab77d72907108b98bf73bdee685300c44ffae937203c7f74ecb8110794b542a4c3ba4831c9b3bafc77dc4d84

                    • C:\Users\Admin\AppData\Local\Temp\1269190981.exe

                      Filesize

                      81KB

                      MD5

                      a81cba51a8e0a4a46d2da44caeff63cd

                      SHA1

                      fbcc341075298d95e9f4685556686380b621989c

                      SHA256

                      3b671780d55eb7a8f7c3e57be194d23bc2946e39c4884296e14c5b6c81ac3ed3

                      SHA512

                      eac61ab0d9d7a6b090e03b836c3ff4dc3e11578e08791ff41c1896345b156355c8cd59ee02af63c173eaf3473f6f735f3347da209bfd50fb790e381c689d8776

                    • C:\Users\Admin\AppData\Local\Temp\1_barac.exe

                      Filesize

                      42KB

                      MD5

                      69b74e9361667f788cf0f1af62e0ea75

                      SHA1

                      313c0f205615de074111851c2cb1ea5bc38a2be8

                      SHA256

                      5d6446096db3fe70e9e7f098b6bbf5bd0d1cdffbb8e487a91228ea0d9ced1c1a

                      SHA512

                      a05bff03eea90379d02a07bd3dc77a7482ce5dc1cd609744c3559c4a75d361d87ad4a979f302d27c8ca94b47bf50ea72098115c1ac3860511219e3df1369b78a

                    • C:\Users\Admin\AppData\Local\Temp\1your_exe.exe

                      Filesize

                      20KB

                      MD5

                      f11699c753aa3b403ee810d14aaa8907

                      SHA1

                      4d7c6f7564b4aa20310499c8a9cf46aa3c65560c

                      SHA256

                      7a2633419743680bc2f30216580effd93583b4f180538411aa8103e37c5dd533

                      SHA512

                      1c97cf9f98bf1e8c0cfdc62a4f140e854dfccb8655a8a8ea6592ae42141f9b70da79ae27028eb05fc41617b10fac56ef4cc3bde0574de8dbb4cd6f4be784639e

                    • C:\Users\Admin\AppData\Local\Temp\2_load.exe

                      Filesize

                      16KB

                      MD5

                      eab0da403a9f596485b4c231f24e41ab

                      SHA1

                      384c06c067e7b66935c2dba44d77ab5b2ce4b2e5

                      SHA256

                      00fdc28881dae4748fbc7f0daecf8907128deb351d1d28950b66f7ad4fa83837

                      SHA512

                      6fae3390e77303f4318778d95105e06b98b5a910a38fb85db937129947f1b98f01ed9d9156b88a18e01ca1eec0a7ac6232aadfeb8f7ff4044bac55d64f588884

                    • C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe

                      Filesize

                      39KB

                      MD5

                      254363c5bc75c63a6f9fdae5aec17aa1

                      SHA1

                      2e3e3d74212fe3c91407bf059794a65417018a8c

                      SHA256

                      061908d8a76056698270a0f47089cfd5a246bec8494ebd2ca0a2d278fd790a20

                      SHA512

                      0f2b5d5ca694c2d768f43ae68adb515cdb06382282c2bea08fd2bd1cafe924f0ef4e4f20800ef5e413292b1bc29a3e5c1316c64503ee23beb2e54ded4e4b8d5e

                    • C:\Users\Admin\AppData\Local\Temp\5_odbnsy.exe

                      Filesize

                      279KB

                      MD5

                      46399ada349010e0945d6a8ba69137d3

                      SHA1

                      468efa26f445d54ba703501109159f7d85a2df51

                      SHA256

                      4b1f59a3c47e015ef50f5092539e40ffa92b5ccae88dbfec828d0d9414c33af0

                      SHA512

                      ecc847376426d21b6f610e2427578edc9e5a8e0082579a6e7b8b2b493b6904661236b47533533064020e2aca63ecc2d1e35539a5b252f7e3cfce19c2ff3a2383

                    • C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe

                      Filesize

                      82KB

                      MD5

                      bfc08d0dcdf0b6af01079c736be73b5e

                      SHA1

                      967c84e54168256e2ad7bb78cc35c8e7e9d5767b

                      SHA256

                      d57cff8fd945721b53c59cee9f97a69d5f6d3fb346ca0fb7066e5a740b252a3a

                      SHA512

                      cb46c1e52f8b13c416c52e41b1f26a29cb48bce461675916c109d1f43043c9dc082431644bab94b4d0f0203b88062d06baaa7c016785a5586132bc4264f9b0ee

                    • C:\Users\Admin\AppData\Local\Temp\avto.exe

                      Filesize

                      274KB

                      MD5

                      99dae998144126e8774b6e57497e1930

                      SHA1

                      34aed0238c911e5e9475822aec31d545ae1961e1

                      SHA256

                      81bff218030142ace3a8f4dcf9ff14f96fddccd6c821aff45798e1701b69e991

                      SHA512

                      33f3cd28ca48a0466093ce44b137097a86fe5eb499424a244db0504cad1ee95196a56c40281d2c960fa6cd4f2d65cbd4f92411ef0c582ed8d1c210726b213a56

                    • C:\Users\Admin\AppData\Local\Temp\q1.exe

                      Filesize

                      278KB

                      MD5

                      406b63d114199ce9930bfc4a1a6b60dc

                      SHA1

                      babf4ee8226b7625cdf19a04c05ad4460bc3bd14

                      SHA256

                      a00aea2e9ada85124b140d294d87c1ae326eec4527f7fa65861d1b468a5c02da

                      SHA512

                      c1297a85b9b8afd2058486a7df0683a104f1087bedb6c3b67f1f33a7c2395dbe9f35b01a1a6684f50db675f6555fd391b172cfbc641373e563d2ca04a0ee50b4

                    • C:\Users\Admin\AppData\Local\Temp\teste1_p.exe

                      Filesize

                      334KB

                      MD5

                      8d9e5086a4aace8642feecff39a5eeb0

                      SHA1

                      7ab655ded632b658847666666464fc337ff5deb2

                      SHA256

                      7eb7190ff9c33ce5db5b7df8dba33571c1347e865e66c7212c661c4b3e4af3f3

                      SHA512

                      ec60672593e7e05c51cc4fca258250eeaaba789c42fdbc5a948642e1776434f18badc0cc650fc7e62f60cf89e00d3134c302316425e20e41b3252352b43ff9fd

                    • memory/612-149-0x0000000016470000-0x0000000016487000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-154-0x0000000016490000-0x00000000164A7000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-164-0x00000000164D0000-0x00000000164E7000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-76-0x0000000016390000-0x00000000163A7000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-170-0x00000000164F0000-0x0000000016507000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-113-0x00000000163F0000-0x0000000016407000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-121-0x0000000016410000-0x0000000016427000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-107-0x00000000163D0000-0x00000000163E7000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-63-0x0000000000400000-0x0000000000417000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-133-0x0000000016430000-0x0000000016447000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-159-0x00000000164B0000-0x00000000164C7000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-92-0x00000000163B0000-0x00000000163C7000-memory.dmp

                      Filesize

                      92KB

                    • memory/612-141-0x0000000016450000-0x0000000016467000-memory.dmp

                      Filesize

                      92KB

                    • memory/744-169-0x0000000000400000-0x000000000042D000-memory.dmp

                      Filesize

                      180KB

                    • memory/948-47-0x0000000000400000-0x0000000000479000-memory.dmp

                      Filesize

                      484KB

                    • memory/948-1079-0x0000000000400000-0x0000000000479000-memory.dmp

                      Filesize

                      484KB

                    • memory/948-27-0x0000000000400000-0x0000000000479000-memory.dmp

                      Filesize

                      484KB

                    • memory/948-337-0x0000000000400000-0x0000000000479000-memory.dmp

                      Filesize

                      484KB

                    • memory/2344-38-0x0000000000400000-0x00000000004D0000-memory.dmp

                      Filesize

                      832KB

                    • memory/2344-48-0x0000000000400000-0x00000000004D0000-memory.dmp

                      Filesize

                      832KB

                    • memory/2344-922-0x0000000000400000-0x00000000004D0000-memory.dmp

                      Filesize

                      832KB

                    • memory/2344-18-0x0000000000400000-0x00000000004D0000-memory.dmp

                      Filesize

                      832KB

                    • memory/2344-105-0x0000000000400000-0x00000000004D0000-memory.dmp

                      Filesize

                      832KB

                    • memory/2400-112-0x0000000000400000-0x000000000040B000-memory.dmp

                      Filesize

                      44KB

                    • memory/3136-58-0x0000000000400000-0x000000000047B000-memory.dmp

                      Filesize

                      492KB

                    • memory/3136-615-0x0000000000400000-0x000000000047B000-memory.dmp

                      Filesize

                      492KB

                    • memory/3136-31-0x0000000000400000-0x000000000047B000-memory.dmp

                      Filesize

                      492KB

                    • memory/3280-46-0x0000000000400000-0x000000000041B000-memory.dmp

                      Filesize

                      108KB

                    • memory/3280-1078-0x0000000000400000-0x000000000041B000-memory.dmp

                      Filesize

                      108KB

                    • memory/3652-37-0x0000000000401000-0x000000000048E000-memory.dmp

                      Filesize

                      564KB

                    • memory/3652-1-0x0000000000400000-0x00000000005E0000-memory.dmp

                      Filesize

                      1.9MB

                    • memory/3652-148-0x0000000000401000-0x000000000048E000-memory.dmp

                      Filesize

                      564KB

                    • memory/3652-147-0x0000000000400000-0x00000000005E0000-memory.dmp

                      Filesize

                      1.9MB

                    • memory/3652-45-0x0000000000400000-0x00000000005E0000-memory.dmp

                      Filesize

                      1.9MB

                    • memory/3652-0-0x0000000000401000-0x000000000048E000-memory.dmp

                      Filesize

                      564KB

                    • memory/3652-3-0x0000000000400000-0x00000000005E0000-memory.dmp

                      Filesize

                      1.9MB