Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2024, 02:48

General

  • Target

    8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    8945c4b0a22bdc55e7f5d29840908386

  • SHA1

    694f666f0b2a93ebc09bbf6c899a59ad66acc9a5

  • SHA256

    e1e68a721a56667f51ef35fb963d5c6a048655b1df85f2af1b996896bc232fd0

  • SHA512

    9cf9e7cf95a9b6434a793baa2251410ee0603a3b66c1a74d00ec00073bd285051bd235712cafcf1724d1ed65165210d7dcaab17e540576ca76986b8ece13db94

  • SSDEEP

    24576:3aUAGNqxJpv5UfpiQtL+PipOYJGQISUn1uu:3NqDprQtL+PipDJsPou

Malware Config

Signatures

  • Detected Nirsoft tools 11 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 12 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\TestFile1.exe
      "C:\Users\Admin\AppData\Local\Temp\TestFile1.exe" -s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Users\Admin\AppData\Local\Temp\TestFile1.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
            PID:2764
      • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
        "C:\Users\Admin\AppData\Local\Temp\TestFile2.exe" -s
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\SysWOW64\netsh.exe
          C:\Windows\System32\netsh.exe firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\TestFile2.exe" "WinUpdater" ENABLE
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2872
        • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2752
          • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            C:\Users\Admin\AppData\Local\Temp\TestFile2.exe /scomma C:\Users\Admin\AppData\Local\Temp\msg.txt
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
          • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            C:\Users\Admin\AppData\Local\Temp\TestFile2.exe /scomma C:\Users\Admin\AppData\Local\Temp\cho.txt
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1400
          • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            C:\Users\Admin\AppData\Local\Temp\TestFile2.exe /scomma C:\Users\Admin\AppData\Local\Temp\mail.txt
            4⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook accounts
            • System Location Discovery: System Language Discovery
            PID:1928
          • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            C:\Users\Admin\AppData\Local\Temp\TestFile2.exe /scomma C:\Users\Admin\AppData\Local\Temp\ie.txt
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1528
          • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            C:\Users\Admin\AppData\Local\Temp\TestFile2.exe /shtml C:\Users\Admin\AppData\Local\Temp\ps.txt
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1952
          • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1736
          • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            C:\Users\Admin\AppData\Local\Temp\TestFile2.exe /shtml C:\Users\Admin\AppData\Local\Temp\dial.txt
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3004
          • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            C:\Users\Admin\AppData\Local\Temp\TestFile2.exe C:\Users\Admin\AppData\Local\Temp\10#dueisnw1.txt
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2964
          • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:444
          • C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            C:\Users\Admin\AppData\Local\Temp\TestFile2.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:944

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\dial.txt

            Filesize

            460B

            MD5

            8a83f57d4efce4941647c65f50402368

            SHA1

            d5d0e9c550adf30427f13f02a5d71b5e324185db

            SHA256

            58cdc619d8718e92c4ce6f2871bac0908d6e0abde1bdee6f01145605add5868d

            SHA512

            39e0d81d127c9de4e298de7087974c91ae9d959ecfe2cc04c59354986473153ce2416d9436023f7071e3e2cdaefdc81315495b0c7224cc2e7782813d37cd5cf4

          • C:\Users\Admin\AppData\Local\Temp\msg.txt

            Filesize

            2B

            MD5

            81051bcc2cf1bedf378224b0a93e2877

            SHA1

            ba8ab5a0280b953aa97435ff8946cbcbb2755a27

            SHA256

            7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

            SHA512

            1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

          • C:\Users\Admin\AppData\Local\Temp\noip.txt

            Filesize

            5B

            MD5

            877cea35660add216293137fdac9fcc3

            SHA1

            21e965518bb98d4a23743611a4d4b1d1f8f888a6

            SHA256

            9e5c367fa1739722eeb54b6dd4a330eb01149089e2725f3800577b0889f2514d

            SHA512

            955b7de37446df48369232283ecf0407bc6c810034a7811bda17a04316af2d6a494566d572370c2bc38bcc9bc5158ee67259d0bed1847d4bdbe66993581934c5

          • C:\Users\Admin\AppData\Local\Temp\ps.txt

            Filesize

            325B

            MD5

            a58b5941ab25b596b96eac942697eccd

            SHA1

            b1e3a60665e914bcaa746ce1c20fc120845123b3

            SHA256

            905f66cbd81fbac6a9aba22c604d3057a4cc755fbcbe11941baa728dc1a236d2

            SHA512

            67675bce2bf3aabc7dfe8ae0ebe61907930c8da8ec13543a94d0318c0e94edb48363f26964b2937bbf94199270a135555cfd2bf651b61c7a311975a2f6f611ed

          • \Users\Admin\AppData\Local\Temp\TestFile1.exe

            Filesize

            294KB

            MD5

            67f60ac93ff2f08809bf9ea3c9596fc2

            SHA1

            cc4807e4070bf5fbcfa0db89e4fe9aee86b06f22

            SHA256

            a37b026fa4b0399494a2fc95e925cabbee4ce401a14278e56876d15e2fa1d7ad

            SHA512

            dbf727e4d3866813fb7e747d21ef3fb19d8d1d1b929ea07f088e9b49a3ffa44f133a2a04224c8d34085431aa99924d2c270cad62205be340c5c3931acdf172e1

          • \Users\Admin\AppData\Local\Temp\TestFile2.exe

            Filesize

            716KB

            MD5

            e37ffd8b73109c6759098d9e8c2f7654

            SHA1

            dd5f7ee81fd5fdd16aa1a36ea80d34f82c55b069

            SHA256

            a0eaba7f47b5508d2eb6a8e870c966e4a94041d82b594b8841ef3d9ca0efbcca

            SHA512

            ba0c634b561decbe7c2ba0825cefb13d26bfb121c8b0528a4cdc946b9b80b5ccffb7a3a938d691c70c0ea8b040144e7b4ee0d5e733780ea6129c6a1991f3481f

          • memory/1400-111-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1400-94-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1400-96-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1400-98-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1400-108-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1400-105-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1528-137-0x0000000000400000-0x000000000041A000-memory.dmp

            Filesize

            104KB

          • memory/1528-134-0x0000000000400000-0x000000000041A000-memory.dmp

            Filesize

            104KB

          • memory/1928-128-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

          • memory/1928-106-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

          • memory/1956-26-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/1956-64-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-32-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-43-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-44-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-42-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-40-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-56-0x00000000005D0000-0x00000000005FE000-memory.dmp

            Filesize

            184KB

          • memory/1956-49-0x0000000010410000-0x000000001043E000-memory.dmp

            Filesize

            184KB

          • memory/1956-36-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-34-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-30-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-28-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-24-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1956-48-0x0000000010410000-0x000000001043E000-memory.dmp

            Filesize

            184KB

          • memory/1956-55-0x00000000005D0000-0x00000000005FE000-memory.dmp

            Filesize

            184KB

          • memory/2656-89-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

          • memory/2656-88-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

          • memory/2656-79-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

          • memory/2656-81-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

          • memory/2656-83-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

          • memory/2656-86-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

          • memory/2656-90-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

          • memory/2656-91-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

          • memory/2752-68-0x0000000000400000-0x000000000049C000-memory.dmp

            Filesize

            624KB

          • memory/2752-70-0x0000000000400000-0x000000000049C000-memory.dmp

            Filesize

            624KB

          • memory/2752-72-0x0000000000400000-0x000000000049C000-memory.dmp

            Filesize

            624KB

          • memory/2752-75-0x0000000000400000-0x000000000049C000-memory.dmp

            Filesize

            624KB

          • memory/2752-67-0x0000000000400000-0x000000000049C000-memory.dmp

            Filesize

            624KB

          • memory/3004-230-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

          • memory/3004-190-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB