Analysis
-
max time kernel
133s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 06:11
Static task
static1
Behavioral task
behavioral1
Sample
8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe
-
Size
728KB
-
MD5
8a01f2487ae7ebb0af91532147cb9147
-
SHA1
b89e0cfb43f176c33d4fab7ec71afde9196cae70
-
SHA256
1ee7f47a10ad62e52bcfffae6243cc6e7430824d969f0d87396573b555dc94a0
-
SHA512
9ec2e834f3fdb43abdafa1837853e0413d8a0ab2af250a5696fd8eb4ad043ce63b691cf8f81aad56b6319c26d55e7c24ef9b027ac530cedea5b9da2919f62eff
-
SSDEEP
12288:Oz9/32XvY6CD6zzXGytE0/OJKG+UlIKfJuUKo1nWjhStiSbUccDJIwsromr:+9vesuzzXGyO0/OJKiICuUKtYcwUccHk
Malware Config
Signatures
-
Detected Nirsoft tools 12 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/3764-18-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/3764-20-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/3764-21-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/1596-33-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/1596-34-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/1596-35-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/3276-46-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/3276-48-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/3276-49-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/924-60-0x0000000000400000-0x0000000000412000-memory.dmp Nirsoft behavioral2/memory/924-62-0x0000000000400000-0x0000000000412000-memory.dmp Nirsoft behavioral2/memory/924-63-0x0000000000400000-0x0000000000412000-memory.dmp Nirsoft -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1596-33-0x0000000000400000-0x0000000000419000-memory.dmp MailPassView behavioral2/memory/1596-34-0x0000000000400000-0x0000000000419000-memory.dmp MailPassView behavioral2/memory/1596-35-0x0000000000400000-0x0000000000419000-memory.dmp MailPassView -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4656 set thread context of 3764 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 84 PID 4656 set thread context of 1596 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 88 PID 4656 set thread context of 3276 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 89 PID 4656 set thread context of 924 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 93 -
resource yara_rule behavioral2/memory/4656-67-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/memory/4656-65-0x0000000010000000-0x000000001001F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 3764 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 3764 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3764 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe Token: SeDebugPrivilege 924 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4656 wrote to memory of 3764 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 84 PID 4656 wrote to memory of 3764 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 84 PID 4656 wrote to memory of 3764 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 84 PID 4656 wrote to memory of 3764 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 84 PID 4656 wrote to memory of 3764 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 84 PID 4656 wrote to memory of 3764 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 84 PID 4656 wrote to memory of 3764 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 84 PID 4656 wrote to memory of 3764 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 84 PID 4656 wrote to memory of 3764 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 84 PID 4656 wrote to memory of 1596 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 88 PID 4656 wrote to memory of 1596 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 88 PID 4656 wrote to memory of 1596 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 88 PID 4656 wrote to memory of 1596 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 88 PID 4656 wrote to memory of 1596 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 88 PID 4656 wrote to memory of 1596 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 88 PID 4656 wrote to memory of 1596 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 88 PID 4656 wrote to memory of 1596 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 88 PID 4656 wrote to memory of 1596 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 88 PID 4656 wrote to memory of 3276 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 89 PID 4656 wrote to memory of 3276 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 89 PID 4656 wrote to memory of 3276 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 89 PID 4656 wrote to memory of 3276 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 89 PID 4656 wrote to memory of 3276 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 89 PID 4656 wrote to memory of 3276 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 89 PID 4656 wrote to memory of 3276 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 89 PID 4656 wrote to memory of 3276 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 89 PID 4656 wrote to memory of 3276 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 89 PID 4656 wrote to memory of 924 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 93 PID 4656 wrote to memory of 924 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 93 PID 4656 wrote to memory of 924 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 93 PID 4656 wrote to memory of 924 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 93 PID 4656 wrote to memory of 924 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 93 PID 4656 wrote to memory of 924 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 93 PID 4656 wrote to memory of 924 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 93 PID 4656 wrote to memory of 924 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 93 PID 4656 wrote to memory of 924 4656 8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764
-
-
C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt2⤵
- System Location Discovery: System Language Discovery
PID:3276
-
-
C:\Users\Admin\AppData\Local\Temp\8a01f2487ae7ebb0af91532147cb9147_JaffaCakes118.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500B
MD5b503bb3c9caad82963d83ecdf2679155
SHA1729ad0c659457586a61e169308ae0a68dcb4e302
SHA2567524a83e62584f2ac51806b908032c3388d4ed1acf7648c6b1e9891137569341
SHA5127e5d326478c8ee4314aefa3617baf346778e9de867976f72788b11208bf20ee2e361cbda2317b0b115d4741103dd28779c47cf801435db99b286e919b22cd078