Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 14:57

General

  • Target

    JaffaCakes118_40bec10104b213d99983caec70e6e348.exe

  • Size

    653KB

  • MD5

    40bec10104b213d99983caec70e6e348

  • SHA1

    e2b6f3202589f8309d3731300da9b7f01f972cdc

  • SHA256

    018094b89c13f7d35a068cfc6ab6fbb012e9588ee9d93ebad8ecc4e2a95d9878

  • SHA512

    591b32a20d6bfdae85ca4cba8c2247008042ac0ede23c150f429a954a450ced04627a229009df93161217335a9d5d12f136a82b9954f095239936e316762907b

  • SSDEEP

    12288:pNpbGph0W2KjUnD0CbEFsifQciGVU22536xIPjtnYkZKiUzd0FHgZgA4Wzoxl:gpn+YQc8oOBYkZKisd0yZgA47l

Malware Config

Signatures

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\424.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2436

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\424.bat

          Filesize

          175B

          MD5

          1e5388a427013031d18ba3645a8d24b9

          SHA1

          bc24e057b7975b2bde5f1d07604420559b43eabd

          SHA256

          dda7e67e924db0cec4076370863f832e921e7f0be6804d3c4aab1e56c577b3fa

          SHA512

          c05e42173bec5584221467c037dfdfdf7328815c6ef4fa5efd39d1dd6dff9923950dc6c0920e090c9470f18b3141ac0c3129b8d002bd5b31e9bb9ed6027e2d14

        • C:\Users\Admin\AppData\Local\Temp\43489.exe

          Filesize

          653KB

          MD5

          40bec10104b213d99983caec70e6e348

          SHA1

          e2b6f3202589f8309d3731300da9b7f01f972cdc

          SHA256

          018094b89c13f7d35a068cfc6ab6fbb012e9588ee9d93ebad8ecc4e2a95d9878

          SHA512

          591b32a20d6bfdae85ca4cba8c2247008042ac0ede23c150f429a954a450ced04627a229009df93161217335a9d5d12f136a82b9954f095239936e316762907b

        • memory/2380-0-0x0000000010000000-0x000000001010F000-memory.dmp

          Filesize

          1.1MB