Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 06:42
Static task
static1
Behavioral task
behavioral1
Sample
f2c470abfb19b04ecc25c1f24c59f308_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f2c470abfb19b04ecc25c1f24c59f308_JaffaCakes118.exe
-
Size
262KB
-
MD5
f2c470abfb19b04ecc25c1f24c59f308
-
SHA1
e61c04b6f0da12b992719084bf805b0b5787c8e1
-
SHA256
de0286940aadec8d0160f1723aa2c30efde507a570259c852a89d90544eda936
-
SHA512
e93b2421bc082c4e6b2c1287f17a4864365c7fa34628ad31b8d3cd0ff55a890ff520f1e22bfacff7427f97eeafefefb228d24110c4179f7058d55f257542c941
-
SSDEEP
6144:FLx+/UFHhgFGApq6ED2KUs2WwcEOWI/WCI3JRPgtUxJOI:Fd+LFrPK4Br4g3zP7xx
Malware Config
Signatures
-
Kronos family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\073f6c79 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{26D3F949-366F-4E6C-876E-72E7CCC9830E}\\073f6c79.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\073f6c79 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{26D3F949-366F-4E6C-876E-72E7CCC9830E}\\073f6c79.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f2c470abfb19b04ecc25c1f24c59f308_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1360 f2c470abfb19b04ecc25c1f24c59f308_JaffaCakes118.exe 1360 f2c470abfb19b04ecc25c1f24c59f308_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4624 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1360 wrote to memory of 4624 1360 f2c470abfb19b04ecc25c1f24c59f308_JaffaCakes118.exe 83 PID 1360 wrote to memory of 4624 1360 f2c470abfb19b04ecc25c1f24c59f308_JaffaCakes118.exe 83 PID 1360 wrote to memory of 4624 1360 f2c470abfb19b04ecc25c1f24c59f308_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2c470abfb19b04ecc25c1f24c59f308_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2c470abfb19b04ecc25c1f24c59f308_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1