Analysis

  • max time kernel
    51s
  • max time network
    38s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2024, 06:11

General

  • Target

    8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe

  • Size

    728KB

  • MD5

    8a01f2487ae7ebb0af91532147cb9147

  • SHA1

    b89e0cfb43f176c33d4fab7ec71afde9196cae70

  • SHA256

    1ee7f47a10ad62e52bcfffae6243cc6e7430824d969f0d87396573b555dc94a0

  • SHA512

    9ec2e834f3fdb43abdafa1837853e0413d8a0ab2af250a5696fd8eb4ad043ce63b691cf8f81aad56b6319c26d55e7c24ef9b027ac530cedea5b9da2919f62eff

  • SSDEEP

    12288:Oz9/32XvY6CD6zzXGytE0/OJKG+UlIKfJuUKo1nWjhStiSbUccDJIwsromr:+9vesuzzXGyO0/OJKiICuUKtYcwUccHk

Malware Config

Signatures

  • Detected Nirsoft tools 5 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe
      /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe
      /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
      2⤵
      • Accesses Microsoft Outlook accounts
      • System Location Discovery: System Language Discovery
      PID:2896
    • C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe
      /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2828
    • C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe
      /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3060

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2204-31-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2204-17-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2204-30-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2204-26-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2204-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2204-23-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2204-20-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2204-13-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2204-15-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2268-2-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2268-117-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2268-7-0x0000000000230000-0x000000000023A000-memory.dmp

          Filesize

          40KB

        • memory/2828-63-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

        • memory/2828-65-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

        • memory/2896-39-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB

        • memory/2896-52-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB

        • memory/2896-49-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB

        • memory/2896-46-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB

        • memory/2896-56-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB

        • memory/2896-41-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB

        • memory/2896-43-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB