Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/11/2024, 23:28

General

  • Target

    8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe

  • Size

    66KB

  • MD5

    8e05cbe103ccdc30592a0f7551c77781

  • SHA1

    c1338bc2b8fe26607b38ee2ced878fad6ef023f2

  • SHA256

    7b00f4851573bb3baf248a20cf5f519d04f9a8bc8bd693406b9075557a580e08

  • SHA512

    de23680b9ca2ef75add1c78ab82297387efd69595eee73c12347b4665afb2957ae332bef4223f7b01cd01b26a9c037bc1931bf0c5bb95db30997c5508d0d570a

  • SSDEEP

    1536:rbuESRmzl+k+LsZ44Ck5pKV4bzfbQGvfTPfrsyUwAvfue8ee:rfl+r4DpKV4GXfue2

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4840
    • C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
      "C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
        C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_win_path
        PID:2232
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\542941.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    471B

    MD5

    19d708493ad4a370288ff5a144985118

    SHA1

    88363e78ecaaa248beb6933a5bf9209455ae459a

    SHA256

    6b7564f59f84e38a5fec4d3b7e6fa4fd5c8eb5ebbf77fd536b8ebbd4926fe905

    SHA512

    899bbac7464f4813ac93b566889c25a3f8a5ee372560c43a725d1bbbdc538684c534816aa9c06714c07c0efe48b11d26fea49b3879e88cbb9b377b627fecfaf2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    404B

    MD5

    3bb3bde5ca9684bcfad65c1cc1e82618

    SHA1

    1f0a1ade374d90a3954d66e55a93fc19a2d9c440

    SHA256

    4a6a9a14981b3cbf02d080eef44ef4c357abcb9062dc15b6e9124a03f27a4f8b

    SHA512

    144b3801cbf195006607cd68dfcbd61640e2fee4b29a9417ec96fb15504a70a41ee3b5be86c82a6ecef7f7fa2a8ac37189392844ab24d0768927c75fb358f5da

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver211F.tmp

    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Temp\542941.gif

    Filesize

    2KB

    MD5

    8eb1ef360497967f27dc35bc7f5c0ce2

    SHA1

    271c181ed96278b060b945094708fe72a7b57403

    SHA256

    ea117ee202b51ebe3c07867d21a03da1d34257ce48407f4898d432ab960a8b87

    SHA512

    759273df0dfa6580c2aa56368879472efce01f967a9b0e489c9a5b271e7b392fb5cdb1f576613f75424037a9b7f64e656410fa4239ac06a2b771d03968051634

  • C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

    Filesize

    62KB

    MD5

    9ec694b94c8a5d6a0fd8f35f7d6df84b

    SHA1

    f43e7a2301c759e72f75f715f27efb7e531f51da

    SHA256

    7d6968458310cb5051f4d706fb4890c200ca637f037fdf370b9125e134dbc458

    SHA512

    efe796c0921008d1465e8e40bb4e519ee8b6a6343b76f8727a04bfccffacf0953faf49facd803c555072d32c0edd74de073bbf66f19c7038a41ec07d81ded313

  • memory/2232-9-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB

  • memory/2232-12-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB

  • memory/2232-17-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB

  • memory/2232-15-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB

  • memory/2232-23-0x0000000013140000-0x000000001317A000-memory.dmp

    Filesize

    232KB

  • memory/3836-13-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB