Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2024, 23:28

General

  • Target

    8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe

  • Size

    66KB

  • MD5

    8e05cbe103ccdc30592a0f7551c77781

  • SHA1

    c1338bc2b8fe26607b38ee2ced878fad6ef023f2

  • SHA256

    7b00f4851573bb3baf248a20cf5f519d04f9a8bc8bd693406b9075557a580e08

  • SHA512

    de23680b9ca2ef75add1c78ab82297387efd69595eee73c12347b4665afb2957ae332bef4223f7b01cd01b26a9c037bc1931bf0c5bb95db30997c5508d0d570a

  • SSDEEP

    1536:rbuESRmzl+k+LsZ44Ck5pKV4bzfbQGvfTPfrsyUwAvfue8ee:rfl+r4DpKV4GXfue2

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
      "C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
        C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_win_path
        PID:2868
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\542941.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2884 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    af87cddadc9fe456be13cfdbb48166bc

    SHA1

    7e8d18fea8541ad45e145f4a6c5a2273f4f1fd43

    SHA256

    5a795624c7fc3e07326714308807655ffd8026d4d7aa14b7c6b65980189d5e28

    SHA512

    2d5fb14ae4aeab73f65b097ca7af99f8da68f6a3558322e13f55048b010786b6635c140c22febd18aadf7ccbea595cb791153e6e861e94fe535f3425e575a102

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1a81f85b59e5f287b207639032eb6b2b

    SHA1

    deceb993d5718a941f9786db705f1f599f368f87

    SHA256

    1efb4570386b98fe5b2f74a3a6e67d65894d318a464a4d6870a60264efba55f0

    SHA512

    1b576df4b805d4c57fb5f72c8511b69ba0c5b61663370597dd14b9859ef6148438e9b3deef0ff32dc69e9f22bcdea05879e7145490b41029816d956e493c76f1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    05e22ea0ac1fed8ae86da9a6a5fb5a1a

    SHA1

    38faab41a52c85e0097bb45ab85320747bfb1582

    SHA256

    614f5c580291e1cb748f63001eedc3f8d7b5bdff84b7bb096ba89b660bb2b4ec

    SHA512

    b4211556b03c493c0d176dfa3624202c10f93ac1f7f44e64d5a382922cc3f09520ac62b0cb6594f058adb520e63d8a581bba6e528e0313e9856598f357a26cfc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c8f4f7a60d60c0c16bea72ccfc5167b4

    SHA1

    1ef3c84e45fbcf1ca4e73d794f8512cfd8418693

    SHA256

    1f60f067dcf8194983ff6c4963705a09414bc1ab91d6d3d03e22cd5c0fdcb3ff

    SHA512

    5196d700c28568b9caa6a4bc5baf8bae90d83f4e71516d1bec2f74e7b51f19b930d1fafd28c874029e57b2fc5592c489df2bdf30155bbad6c77081345cad0b8a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    68a853124087db748b527c1b4cdbcd5c

    SHA1

    7e686a2289ea87f703afe09237762530806f4e35

    SHA256

    04b63945caf733103591ffaa97d33408e02a3723200ba8195f5de1662f276c09

    SHA512

    4bce909cadfc9e65dedb6641c02717e4f1fdc4cb7d0f7fb9c9ab4052295327268397455dbb42fda4d660c3019c65b437617d639b187ed1ca693844b7b053abf5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    22bdab0b1e151a1154f7f4753eeeb14f

    SHA1

    7c57a42f838b9972b83e124bab5d82ba1a989d5d

    SHA256

    8a49a93c261490ff77f2e2e6a9788983991ddf009c5629c2013cfb3324b122f8

    SHA512

    d61bef9c89f9e510491bcb5ebca3b9e909180f2d7facc768d0ab5512ba0e3f2676cccc87435c7b582403ee03a4db5032fb80f25aa06914a5eda76e5b0a4eadc7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    45493f6f85ebf2329a8c52fe3f57b58c

    SHA1

    e60a2007cc87e1453e9392f93da04b992069cbc4

    SHA256

    a012423346088dfe70e53d21805c601c308bfc1ba70684cc46d5e8769aa793fc

    SHA512

    598af5ec41153b2687d591d96b52d8f49846713983fbca4c7b54beab6165dcc46dea3f34f7a4b73c2d9c3422718777d1bbb6afec0e48c5ff8da7284361b5570e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ebd18d4f64f318a360a77dc4889307e9

    SHA1

    385e95dacc65189ae97bad41417bc82f6419b402

    SHA256

    ffe3a0bff39bb2da317f1b7740fb6d395515df1f54f7c8e24a4aeff323b579bd

    SHA512

    f982dd3d5337386a38d059fd88e3bfddd271eedd54b21cf769e250bd04b96fc15e4751bd713a8f519be4509f16180a57a7a4c1806250ee95bbb671a8838248a2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    00781896cfb515a6eb35f5645929995f

    SHA1

    49853e11381fe5200f57ae35097c217011e8e29f

    SHA256

    1d86aea56fa4b0d22df618d4f3bc92d2c2ba9a8f343d606cde06b10704a751a3

    SHA512

    2c79bd87361dbe7dda87b3d0c095427b07606340ecd834f2d2de451fcbc760c826855a174379a0ea6c033bd3a2c7bad3dd063bfe503f4f53f750dda65bf1d32b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    11ae2731b1c58234fd03d3c724fb920d

    SHA1

    4e5beb319cd2c6298e12d67e0407f99d991d7113

    SHA256

    44e35319aae0f0c99d2ddf0b5c3f03590c646bcac8ef36b40040f65ae7921d19

    SHA512

    f75f8e3a60b37abd54941b92f36aac13820ea80a1f5c09d9fd5e487e8677c91261acd42fa5121de931993da098ae82becd72f25eee91c8fa180958c674acdcb2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5b9be0e18f9dcfab963a2d87c8be3399

    SHA1

    c1dc615f8e88f23a53c7e4c63a2e45c073a72daf

    SHA256

    1e0e2f2b4d8fc8264d6e58146d237bfcd15eb910d7182290f4fb1e5754ab819e

    SHA512

    b3ff9ae1d8f6e8d691cbcc4ae9ffb5cf5e3df47a9d5de4897b1f1a1c99ad38a43703b32724499cad4beedb44e82daaa6e01788ee04e388ab44a9c764c38b0968

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    73e3bc6764d79065413bd856a3a5f4fc

    SHA1

    e96c4ae54e5ba8bbb3d36c18487835875c1fff2c

    SHA256

    a0400ef4ac19faecf77b042670431361670061416b4dd556de01bff0eb0957b4

    SHA512

    2cf22ac8490b4033c4068d3db20435681a8ca7557e0eed4693156b27bda51c07113f54aea6a7cba1752e446f38372a1cabe382f67a4efd4323ad98574b806388

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cd5019d84929eaa6ce67239d0cd30ab8

    SHA1

    ee4110f16c954af8b48839ccd1a4b1e4228f800d

    SHA256

    27e3f825e8d340d533428582919fb609bf07f167d5b85b8921153ef8bc063042

    SHA512

    7991c1d6b2bedfd11304c58444ebe307017a5ffde947f712fb1035d8cdeb8a33280d372a153cf01afaeb15902fb0dda95c9f7cc59ebd631896ccb7f12bad419d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ab26b7aa392f493c24f0069697261d86

    SHA1

    441906455f558286ea3acadbd34cd0503068b874

    SHA256

    bf202e6eafebca7b33fc3af069c03a5ab0ca59bb011f134525e92f85c9dbdb41

    SHA512

    6b9f11d777cbf525d71c4dfb0ce4bdb55d815be614d51890bced744f0a960f794e7faff7936a0b15fb802bb9902131cd7b1209a289a78b39201835551d1b769a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b5e92a0f51eea1ca127c0c701cf16d1d

    SHA1

    d94a1df7e2500bb0fb05b468c3f5e160ccd6a8ee

    SHA256

    aeb6c28f9b5c5b92e01b545f8f6e16439b35ddd61c2f6a6fe736d66f3f70d881

    SHA512

    9406d913b48679896eceaa1fcd2a244d28c8f70d8ec8f59078f573839d954897fe5bcda071f7239798788d1f88fb852893933ef376a66c0e72d94b81742d06d9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4085722bec911e3f5b17ccb9155cdb50

    SHA1

    d65aef2ea85ec09f02664831626c4df38f244c99

    SHA256

    73c171600c065917b6ba0099d43bfcc38a220cd393351ade338b43fee9cf32f8

    SHA512

    05473c6660667b7efbe67102c2c2c32fa1c8d58de8cbe57e46872012e046672aad814ec3203c3334240bf0b2a57ab0cea1c0c02aec6a19a81f52de397360f155

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d602550dc0c44a0aed49fd5f7f70ec43

    SHA1

    70a9f1feb9ff734daf79a2d98b8475f78d0f7466

    SHA256

    a6d4f84fd935cab20d0b515dd620d71939739678f74fd6d9547a798e63a1292c

    SHA512

    f1daf35690876d4b89bd1b26734461e6552fde2202be7069b11ba111e2d38ef65edfcfccbb0516656cb6c21acb29576e2c41469a45a9e70f1f53ca47c7361215

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a4feb8ecfc8b5a9dec900ce5ac23faac

    SHA1

    c1f198315407d288324d35c7aa919f6c64418e15

    SHA256

    691690a4e9c74e241bd94482eae42adb272f3f8e2a464408038c0629f0b5da62

    SHA512

    15067e8c6b3063569a8aee7293dcdbc60681495d6c3da0babc2555f017d08d8ee88dfab7ab6f08686812e4b0f6e1c58644c865bf1ca849902e155ef1064311ca

  • C:\Users\Admin\AppData\Local\Temp\542941.gif

    Filesize

    2KB

    MD5

    8eb1ef360497967f27dc35bc7f5c0ce2

    SHA1

    271c181ed96278b060b945094708fe72a7b57403

    SHA256

    ea117ee202b51ebe3c07867d21a03da1d34257ce48407f4898d432ab960a8b87

    SHA512

    759273df0dfa6580c2aa56368879472efce01f967a9b0e489c9a5b271e7b392fb5cdb1f576613f75424037a9b7f64e656410fa4239ac06a2b771d03968051634

  • C:\Users\Admin\AppData\Local\Temp\Cab12B8.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar1387.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

    Filesize

    62KB

    MD5

    9ec694b94c8a5d6a0fd8f35f7d6df84b

    SHA1

    f43e7a2301c759e72f75f715f27efb7e531f51da

    SHA256

    7d6968458310cb5051f4d706fb4890c200ca637f037fdf370b9125e134dbc458

    SHA512

    efe796c0921008d1465e8e40bb4e519ee8b6a6343b76f8727a04bfccffacf0953faf49facd803c555072d32c0edd74de073bbf66f19c7038a41ec07d81ded313

  • memory/652-16-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB

  • memory/2868-19-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB

  • memory/2868-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2868-12-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB

  • memory/2868-23-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB

  • memory/2868-21-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB

  • memory/2868-426-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB

  • memory/2868-15-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB

  • memory/2868-20-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB