Analysis
-
max time kernel
51s -
max time network
38s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03/11/2024, 06:11
Static task
static1
Behavioral task
behavioral1
Sample
8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe
-
Size
728KB
-
MD5
8a01f2487ae7ebb0af91532147cb9147
-
SHA1
b89e0cfb43f176c33d4fab7ec71afde9196cae70
-
SHA256
1ee7f47a10ad62e52bcfffae6243cc6e7430824d969f0d87396573b555dc94a0
-
SHA512
9ec2e834f3fdb43abdafa1837853e0413d8a0ab2af250a5696fd8eb4ad043ce63b691cf8f81aad56b6319c26d55e7c24ef9b027ac530cedea5b9da2919f62eff
-
SSDEEP
12288:Oz9/32XvY6CD6zzXGytE0/OJKG+UlIKfJuUKo1nWjhStiSbUccDJIwsromr:+9vesuzzXGyO0/OJKiICuUKtYcwUccHk
Malware Config
Signatures
-
Detected Nirsoft tools 5 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/2204-30-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/2204-26-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/2204-31-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/2896-56-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral1/memory/2896-52-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2896-56-0x0000000000400000-0x0000000000419000-memory.dmp MailPassView behavioral1/memory/2896-52-0x0000000000400000-0x0000000000419000-memory.dmp MailPassView -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2268 set thread context of 2204 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 29 PID 2268 set thread context of 2896 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 30 PID 2268 set thread context of 2828 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 31 PID 2268 set thread context of 3060 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2204 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe Token: SeDebugPrivilege 3060 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2204 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2204 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2204 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2204 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2204 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2204 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2204 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2204 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2204 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2204 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2896 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2896 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2896 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2896 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2896 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2896 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2896 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2896 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2896 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2896 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2828 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2828 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2828 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2828 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2828 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2828 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2828 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2828 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2828 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2828 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 31 PID 2268 wrote to memory of 3060 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 32 PID 2268 wrote to memory of 3060 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 32 PID 2268 wrote to memory of 3060 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 32 PID 2268 wrote to memory of 3060 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 32 PID 2268 wrote to memory of 3060 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 32 PID 2268 wrote to memory of 3060 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 32 PID 2268 wrote to memory of 3060 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 32 PID 2268 wrote to memory of 3060 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 32 PID 2268 wrote to memory of 3060 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 32 PID 2268 wrote to memory of 3060 2268 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt2⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3060
-