Analysis
-
max time kernel
94s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2025 20:30
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe
-
Size
532KB
-
MD5
ed7b254924385e6453e8c83e6a52799c
-
SHA1
d64da66e23c1aa5b4fce3b9d586b881eb630aa31
-
SHA256
edd8af7480af2c4022d4a2ec41adf9bb3f5b3cdfaede486eade658239550d193
-
SHA512
9f9f258b4a57c1abe4c1a8f726de5edbbf4de10edce1e00c0b58d15de8712450a6da18520d124203fa8a42dc0bf2ec723460c56ee5b18afd666a5011d13de467
-
SSDEEP
12288:fCiN9vp/FpHRdjWouP02XXV8Q0x9NkGBjOftD0gQWGMt:fC2/dBjWo8iQ0DzBKtD02
Malware Config
Signatures
-
44Caliber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 freegeoip.app 8 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1360 JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe 1360 JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe 1360 JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe 1360 JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1360 JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
731B
MD5f02610f47a6d4a16b5b613f420362dd6
SHA1dfece02df5c2d5bf21749f091b63e45d69bc713e
SHA256d5c7cb06bac67967f4df8aa20e6f936d6b32670104d4dcc1f63995fbff6a4cc7
SHA512609c1ff0e2ff624b65110d9a547fb1aa48c9320ca13d5c7d9765bb8d2a269a5b9722cec95ea81f7b18c01053c2bb4fa47983633a497ed3ede325955a6721369a
-
Filesize
1KB
MD5e562a5fbf5a3030d65a641fc2cc2558a
SHA1daf0006cf72b0492c96e922eef0ee269c43682e8
SHA256f3b4b8064087619f304043bab64975282df51b3c8b49b2bdff794580ed85d48a
SHA5124f5fd841c901238f89af30f791e57ab02739f6bcd550e4fddbaa53e8151018981fc3ab9b28967257cba876fef8228bbbee6bad582ff5cfe7b8b6f252d0069b85