Analysis
-
max time kernel
104s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:03
Behavioral task
behavioral1
Sample
JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe
Resource
win10v2004-20250619-en
General
-
Target
JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe
-
Size
128KB
-
MD5
1c28a7513f89aed698f1b82675b03c68
-
SHA1
f11c56ccc5e5c7d75f843818418bfa63ad0a0f77
-
SHA256
139b3551ddc564eb622d8d6118404d4f5e3e6d107009966288c1942cc22a3f43
-
SHA512
9ea4c219428dace893196a49776213378eee083f7c40eeaa5d2684f6ab22878f2a4be79f1655253504e89bfbaa8efea978a2b7171578eccc9d176ed275ff64fb
-
SSDEEP
3072:7cJR3No+USaTkfpb8GmZSapzTc3G+SlLTzgkfpb8GmZSa:7CRdWtwf+GmZXxQ33+Hbf+GmZX
Malware Config
Signatures
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Executes dropped EXE 2 IoCs
pid Process 2744 outlook.exe 5092 sys32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\sys32.exe JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe File created C:\Windows\outlook.exe JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe File opened for modification C:\Windows\outlook.exe JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe File opened for modification C:\Windows\sys32.exe JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe File created C:\Windows\sys32.exe sys32.exe File created C:\Windows\outlook.exe sys32.exe File opened for modification C:\Windows\outlook.cfg outlook.exe File created C:\Windows\crc32.cfg outlook.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2280 2744 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language outlook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sys32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4288 wrote to memory of 2744 4288 JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe 88 PID 4288 wrote to memory of 2744 4288 JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe 88 PID 4288 wrote to memory of 2744 4288 JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe 88 PID 4380 wrote to memory of 5092 4380 cmd.exe 89 PID 4380 wrote to memory of 5092 4380 cmd.exe 89 PID 4380 wrote to memory of 5092 4380 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28a7513f89aed698f1b82675b03c68.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\outlook.exeC:\Windows\outlook.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 314763⤵
- Program crash
PID:2280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\sys32.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\sys32.exeC:\Windows\sys32.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2744 -ip 27441⤵PID:4660
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51d7e0439e6fdf742fa91d32e8e0c8b2d
SHA19fdd945909cd22c0989d3894175fd503244ecb47
SHA2569a22632b4e477e7ca43c9d57052ede0b6e088d47c631fe94816ac29ab9ac3ee0
SHA512450aeaff404a2ff6c7c2fb55c5efcb92d13eeb39d3ecf8124dad91a17daaee01f25bb57d60f8ddff7873700530be01cb2350e04b8dd3db7aaa1db9a08cc73bf9
-
Filesize
740B
MD543fefd4615f7dba648a96e7c74da4666
SHA1072635da71eb0c446623ee07f21db15348f2eecc
SHA25694a6260a8ca3afb071c691da68c0d70e70c066001b3250652920ad84ed1ee860
SHA51204d4af58e331d8f1e18ce03f04b09c3c3ab2e156f61fa834328ac18231eb2bb2c4b107e5b46995bc455260beea2f143faca59ce95a1332c9eae021cc9826fac2
-
Filesize
1KB
MD50e3206001b5237b73c9c92cb9b23bb0d
SHA1b078310ce5a6d02fe41126a06dbcd8f8147dfeb2
SHA2564c1baf8a312a5340fad74fb57156f9459bd4b39a775eaa7bcc431450718a73b6
SHA512869cd1b57183f21d81c763bc6b4197735341f0c81a079c5298024e8bfa9be5babf4e26f764847fb8c7f771c936678382f8d57dbbc9cf0eacb260380e307f32f1
-
Filesize
1KB
MD5808e6886fc4b027081c6f851af2c81e6
SHA1d6b5aded8baa6ef97a1382006c24631392af8852
SHA256c03e2b54c810c055b305e22f04eecf5ff2439c9f5953da228b1c515f3e89cbb2
SHA5123ca2f224ad68642e535758120277f98b2aa85d4ac6299512e7a8d0559e2abe85bef722920270a800e925a04cf2ed219707a72bf3f924d3c8a6516d1a0d8d3a62
-
Filesize
49KB
MD50e9379e357aba95f8b9883af9b67675e
SHA1280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA25696b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA5126cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784
-
Filesize
128KB
MD5b1c0a320b62c56df4fb56be2b4973254
SHA1cf8ec4bacaf07e1bca05c435620685d638070301
SHA256054b80c98073f876b254f96fd6ad3b45e1ae1ede23f52e085f2f02617cc080b4
SHA512fe030a5b22d7bed52d8f502223880f19fd6f1e3f97258ac0ff4d8c2fe87ed1faf23e1a1714d28e818659db4dccaad66f6955e92571c33a23d0f9e13546b1a464