Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 14:57
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_40bec10104b213d99983caec70e6e348.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_40bec10104b213d99983caec70e6e348.exe
-
Size
653KB
-
MD5
40bec10104b213d99983caec70e6e348
-
SHA1
e2b6f3202589f8309d3731300da9b7f01f972cdc
-
SHA256
018094b89c13f7d35a068cfc6ab6fbb012e9588ee9d93ebad8ecc4e2a95d9878
-
SHA512
591b32a20d6bfdae85ca4cba8c2247008042ac0ede23c150f429a954a450ced04627a229009df93161217335a9d5d12f136a82b9954f095239936e316762907b
-
SSDEEP
12288:pNpbGph0W2KjUnD0CbEFsifQciGVU22536xIPjtnYkZKiUzd0FHgZgA4Wzoxl:gpn+YQc8oOBYkZKisd0yZgA47l
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40bec10104b213d99983caec70e6e348.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2436 2380 JaffaCakes118_40bec10104b213d99983caec70e6e348.exe 31 PID 2380 wrote to memory of 2436 2380 JaffaCakes118_40bec10104b213d99983caec70e6e348.exe 31 PID 2380 wrote to memory of 2436 2380 JaffaCakes118_40bec10104b213d99983caec70e6e348.exe 31 PID 2380 wrote to memory of 2436 2380 JaffaCakes118_40bec10104b213d99983caec70e6e348.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\424.bat2⤵
- System Location Discovery: System Language Discovery
PID:2436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD51e5388a427013031d18ba3645a8d24b9
SHA1bc24e057b7975b2bde5f1d07604420559b43eabd
SHA256dda7e67e924db0cec4076370863f832e921e7f0be6804d3c4aab1e56c577b3fa
SHA512c05e42173bec5584221467c037dfdfdf7328815c6ef4fa5efd39d1dd6dff9923950dc6c0920e090c9470f18b3141ac0c3129b8d002bd5b31e9bb9ed6027e2d14
-
Filesize
653KB
MD540bec10104b213d99983caec70e6e348
SHA1e2b6f3202589f8309d3731300da9b7f01f972cdc
SHA256018094b89c13f7d35a068cfc6ab6fbb012e9588ee9d93ebad8ecc4e2a95d9878
SHA512591b32a20d6bfdae85ca4cba8c2247008042ac0ede23c150f429a954a450ced04627a229009df93161217335a9d5d12f136a82b9954f095239936e316762907b