e31a1c947d8e470d136959beb047c802fe894ec7f3f3ae5dc0b106e6dc2b1053

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe
Size

664KB
MD5

61c150ab2f4344c7096fcc673ccbc658
SHA1

13bdf5df5e1abd801da31e1ac9f44a9ca77e9a78
SHA256

e31a1c947d8e470d136959beb047c802fe894ec7f3f3ae5dc0b106e6dc2b1053
SHA512

0ff602e1e2d89f10da20a970ee314aa01b905095fe4d3df5ea211187f5f95a77932f7b951d536c2853c7f2014cbb1b215c4f3b2073ec4b937f761c53e7ba1dc4
SSDEEP

12288:22eIlzdXH75e+BzWbSnIvcg3wc3aTvDTbdw6rNFxKf99L5H:beIxdXle+Bn+3wea3TR3xKf99L

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1616	2592	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2020	regedit.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2020	2592	JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe	31
PID 2592 wrote to memory of 2020	2592	JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe	31
PID 2592 wrote to memory of 2020	2592	JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe	31
PID 2592 wrote to memory of 2020	2592	JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe	31
PID 2592 wrote to memory of 1616	2592	JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe	32
PID 2592 wrote to memory of 1616	2592	JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe	32
PID 2592 wrote to memory of 1616	2592	JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe	32
PID 2592 wrote to memory of 1616	2592	JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61c150ab2f4344c7096fcc673ccbc658.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s C:\Users\Admin\AppData\Local\Temp\\extension.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 564
  2⤵
  - Program crash
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\extension.reg

Filesize
375B

MD5
a7c034106f010a80e519cd2e4950a1fd

SHA1
658256c9d07cf864445a3068ab75af908d470aa8

SHA256
7098b6dcaaccf4273691f0258995ccd3ab9ef225ba8698c23ed2624660cfdf7b

SHA512
30a9589d5a80d7ab1e3b1655d6d0a8e9c207d443ba818fe52edcf034157cc6ecd28c73ee5a731ca92f12bfe923b77a1ee6df97ad6d9fdbd1fc13c0634f2e975a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\extensions\[email protected]

Filesize
188KB

MD5
4996be3c9e77ba203c56cfe711ecc2df

SHA1
be69e147fa984d8e36d43233aaff32772ba367ee

SHA256
156a3be3eef25180490971f740024da3a6d89a39702c477ade87fbd0aa4e1634

SHA512
665a9f716de3f1ca218516ad53535de514d03418d96dbed4cd9461d422f18ca54bdabc41232e0152100acf86ae67b067824f94d3dbc7f187e52066ef24c052ed

Download Submit