Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe
-
Size
809KB
-
MD5
d0f36ba42fa306e6d1008212c8874078
-
SHA1
ca607f766c7a67916b3b5a5cbdeed2b72cea246c
-
SHA256
78ba6b04fa45496aad0528ec07612c9d33150c9ce08085525401c7baf9152cd0
-
SHA512
096cabce5678ab8b2fd90c74d6c1026af139a883093112d1361848b30a1abe4cef38cd1ceba34334cd5819000cf7a250671b242dc5ba9760e2012fa10fc7c0be
-
SSDEEP
12288:wphm2SvseSwoDxUZTtrH+hdwzWq4hJcIe5E+bQ1fNXiw7lFsERTWd7E+:Oo7seSwoiH+hOynfzT5fs+l3RI7E
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 268 privacy.exe -
Loads dropped DLL 3 IoCs
pid Process 1640 JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe 1640 JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe 1640 JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Privacy Protection = "C:\\ProgramData\\privacy.exe" privacy.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: privacy.exe File opened (read-only) \??\I: privacy.exe File opened (read-only) \??\Z: privacy.exe File opened (read-only) \??\J: privacy.exe File opened (read-only) \??\K: privacy.exe File opened (read-only) \??\P: privacy.exe File opened (read-only) \??\Q: privacy.exe File opened (read-only) \??\U: privacy.exe File opened (read-only) \??\V: privacy.exe File opened (read-only) \??\E: privacy.exe File opened (read-only) \??\M: privacy.exe File opened (read-only) \??\O: privacy.exe File opened (read-only) \??\R: privacy.exe File opened (read-only) \??\T: privacy.exe File opened (read-only) \??\X: privacy.exe File opened (read-only) \??\Y: privacy.exe File opened (read-only) \??\H: privacy.exe File opened (read-only) \??\L: privacy.exe File opened (read-only) \??\N: privacy.exe File opened (read-only) \??\S: privacy.exe File opened (read-only) \??\W: privacy.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 privacy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language privacy.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1640 JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe 268 privacy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 268 privacy.exe 268 privacy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1640 wrote to memory of 268 1640 JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe 28 PID 1640 wrote to memory of 268 1640 JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe 28 PID 1640 wrote to memory of 268 1640 JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe 28 PID 1640 wrote to memory of 268 1640 JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0f36ba42fa306e6d1008212c8874078.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\ProgramData\privacy.exeC:\ProgramData\privacy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:268
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
797KB
MD5cc5838fd9bff840360847960458bd085
SHA1678fc0c61cbde3beaa902c5ef28e293dfeb4c42f
SHA2564fff9348a41e2861dc52a3ed76ae7333cd52e100890b2818349b111560e524b1
SHA5125c37c2a1fe0d53c08cc998370bf490abbbb5828de7a05afccf64906d3729cb33ddb56f9197dc99c13c6c48190c15d6378cae73a545b891e6e4828a84a82d3966