Analysis
-
max time kernel
98s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 12:29
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe
-
Size
1.6MB
-
MD5
c7d15cb02c2a5446818e438b22a4dab4
-
SHA1
b0800dd084c27334547f600319b0bc5b8e8029c5
-
SHA256
1cb7c5a5ca6571235788a6dbe4b22cc2d10349e44b2519209b8a285da8f70810
-
SHA512
802e308f364ba205180db9b5987ff90d6300caf1e3c7f49c6bc04b390d8475c56186ebadbb7cc44b6f4a3dc562b66f7050d7c1b3324b970de347f14c2e49b007
-
SSDEEP
49152:1bfcx2eIzRet6PPwyo2MIvJtoiQKusITOJrn:1gx/My6vJ+guG
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1748 cookieman.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2528 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe 2528 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe 2596 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe 2596 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2596 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2596 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2596 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe 2596 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2596 2528 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe 29 PID 2528 wrote to memory of 2596 2528 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe 29 PID 2528 wrote to memory of 2596 2528 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe 29 PID 2528 wrote to memory of 2596 2528 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe 29 PID 2528 wrote to memory of 2596 2528 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe 29 PID 2528 wrote to memory of 2596 2528 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe 29 PID 2528 wrote to memory of 2596 2528 JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe"1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7d15cb02c2a5446818e438b22a4dab4.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_c1d291380"2⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2596 -
C:\Users\Admin\AppData\LocalLow\cookieman.exe"C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com3⤵
- Executes dropped EXE
PID:1748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD53f4519b56cb1e006dfe4341e72112913
SHA10ff5675d359c898b6a6bdc1dff10f71097bc9927
SHA256125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2
SHA51278c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40
-
Filesize
45KB
MD5e9f890b0cc57ffc4cbf579004f00e99e
SHA115250500d0dfda4f767c2327af2c42463b95f80e
SHA2563a6a3f4a09a5e9056ae2ed9e1f9e1919acaa7a5bae5e2a90494b6bd591d0c2c1
SHA5126a2104916e3e2ae15c810f5b2ac28d3298a32a123e187ed5e1aa4854b0c603f6c2c8a4cbf008eeaad45fadc176dfecc1ed3f9826d8a6c9c0538daf76120d729b
-
Filesize
90B
MD5844d1ad004c1d58a0cce875f250346e6
SHA1ab46e7e1755a0023f546ceb75909836a8c8bc03f
SHA25606e5eea470b26bd26556676fbd02184a1cbadef0eb1baa6333b7ce0b49f1c5ca
SHA51211f59c545298c893788258965e4fb4ed077bf423df0ea1e5d18e0849df232216dad5d0a3a5edd9e2424886a818ad1a178b970430229f6599aa24689feb7e73db
-
Filesize
1KB
MD53db83f039ef0c6d0f9a2db8e02ab744a
SHA1f0ef7f3666933e3d46f2467f7a48722078de6615
SHA2569a7e0e42263fce0d4521921818a757ff2ca485d16052e8e3287bc281a323daf6
SHA512ba9b807533475d4629b6c798e1fb5ea6a385e26885023461c0167a7effd1878875be5a5c3206c1d04e06c45a929eb841d2bb53663628874b2f030cb2ae0155f1