Analysis

  • max time kernel
    101s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 17:25

General

  • Target

    JaffaCakes118_1c6e755a10d30c9544ee1133144cdd6c.exe

  • Size

    722KB

  • MD5

    1c6e755a10d30c9544ee1133144cdd6c

  • SHA1

    6bb345b71886394f723d5a12275b2e6ba48eecbe

  • SHA256

    4e3eefcb9c9aff0d44debe4d22b6e5ab8c2029b153c52bc71071b2469845c850

  • SHA512

    06c24ad01bcd4a16da38ca29f4eedcc3930cbba28a4df28a1180ff6b076bd8277e137a84f3befec96f6395ed22342a71a9f97fdba0d329f04c18ac0e633056cb

  • SSDEEP

    12288:h1OgLdaOFo99/rsFEt5hDG0SAMs9jR/jeRJKu9TJdwYGZtyjTje5jOSpJ5:h1OYdaOFOBsFEt5hDG0SAMs9jR/jaJn+

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6e755a10d30c9544ee1133144cdd6c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6e755a10d30c9544ee1133144cdd6c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3796
    • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\lj.exe
      .\lj.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops Chrome extension
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      • System policy modification
      PID:1156

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\1.dll

          Filesize

          222KB

          MD5

          e9b27306a18f18b88945cdf066de2fc9

          SHA1

          4d18490fbb336e261301a967047065dd561cc2f2

          SHA256

          a9880b90d24af3786886306aefe5c79ff3cb2fb7b36ee5fb7bf2af85f240d63c

          SHA512

          f255e8bfb13cfa070b31f47b12a4aacf9ab75a6a8191b6b83740d02c3f007b6d5255a5c2c12bc7b599996742973d2faccb5463d96d16c7aba40e34776823c706

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\1.tlb

          Filesize

          2KB

          MD5

          39d776f73d1d3f771aaa8c3561367c3a

          SHA1

          eef842aa02927bd7fbe7d569c5446ef1a2ea065f

          SHA256

          c2156787eeb818e587529572599fa124773c71330fb93e1c79f4cb9141090941

          SHA512

          3174095accbf422730e60f61523dec01a9a4519cb4642a641c5f547d530ad41f5386d383b90f7daf34f1f36635775929e99d7fe0030aa24cee30f4de8376eeb3

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\[email protected]\bootstrap.js

          Filesize

          2KB

          MD5

          1b53c596cfb1aa2209446ff64c17dabd

          SHA1

          2542da14728dcdbe1763f1ee39fe9ceae38ad414

          SHA256

          a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

          SHA512

          be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\[email protected]\chrome.manifest

          Filesize

          96B

          MD5

          c2d0d1dce72d2b47edc64a15e7616ed8

          SHA1

          88d6039a3af0620d559814507974bd1c7323e17a

          SHA256

          0d5f1c016868fe5e19c670c017b36a814e17f15184378e07390ea901f292e8f7

          SHA512

          f8ad46ad44fc3bec25551216b75dfb09bb70de943996618232ce819df1493ff6167cec3e6f4924fb254fb2af68fac4eecd84eb1efb7f3d0b9539d564ed3858d0

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\[email protected]\content\bg.js

          Filesize

          8KB

          MD5

          294ae8a44136952f06a3e1344405a213

          SHA1

          8d411c92c99e7c146f04469bff7f2860fb207f47

          SHA256

          8f37108d879b291a2e46eb8c46e7d282f3f127125a21c075f8b22a59bfbe8430

          SHA512

          97721e8551ea8cf69e64c089abcfc905da4d1d35d065b7a8e9a9050d219b24f2c2690c702e05fc7b443978ae3adffc12e59c0fe77062524560bd2032a3c6dc77

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\[email protected]\install.rdf

          Filesize

          612B

          MD5

          fff02fd4dbdcc1d32d1222ef2b854aa3

          SHA1

          84085f9459831726acde29d0cfd795013b2ada96

          SHA256

          de5716539ae7c37f8bbd16334c119106aeb2f9b40ff388ca6e60be895f82e8f3

          SHA512

          fb9529d1e162e0f7bcf9389320b93a8690df880cd3d9f23433fe52761c2ab49ea486d0c88e41b420e142715dceae0019b28d9bf3147deb6ded902f93dcd3e106

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\eaelbmcbhbnfmlgmokomfnaefmfkbcjc\QP.js

          Filesize

          4KB

          MD5

          0b336005d9953b96b690d860836804cd

          SHA1

          2c27f9ee3730179bf638f6abd5a8c15f13a699c4

          SHA256

          5103d11d851b53095fdc9143624cebead7287399a38d048afada1084b2c1acf8

          SHA512

          91e12a4a232af0a9f04b340d0cc3ddd4590058e9cc4539076e6cc1c10e149fa5fe4ad2651b5e9ca4194998c0d322c88a077d22393a217cfe5f7f97beb00f65a6

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\eaelbmcbhbnfmlgmokomfnaefmfkbcjc\background.html

          Filesize

          139B

          MD5

          824da30342fa1679ce28aa3b858789cc

          SHA1

          3d5971102bc87413da4dc8a00157fc3ad9148d2c

          SHA256

          11102787f8b10025dd2bd597c45bc96595109036c4194ef7fd4db03018d92866

          SHA512

          69715eea0bc61033f8a765ab64af4d9c105e1a8b4aa1187cf189a01a856447f69eed249dfd8cebe047f21493bd4a682ac374acf09ebe9349cb42ae5a43029063

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\eaelbmcbhbnfmlgmokomfnaefmfkbcjc\content.js

          Filesize

          197B

          MD5

          5f9891607f65f433b0690bae7088b2c1

          SHA1

          b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

          SHA256

          fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

          SHA512

          76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\eaelbmcbhbnfmlgmokomfnaefmfkbcjc\lsdb.js

          Filesize

          559B

          MD5

          209b7ae0b6d8c3f9687c979d03b08089

          SHA1

          6449f8bff917115eef4e7488fae61942a869200f

          SHA256

          e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

          SHA512

          1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\eaelbmcbhbnfmlgmokomfnaefmfkbcjc\manifest.json

          Filesize

          504B

          MD5

          6610f4b84abc00b40d687b134437e6ed

          SHA1

          3057cddd0f90462386226cc6f7f75eb079eca179

          SHA256

          97b5bab313f4e66d72410eccd244e0a68a65dbeeae19b7638ec9ba13a11f6ac0

          SHA512

          f79f14dd5fa6710cf44f28ce80ff60afa09e350ae7db5858e2959dba65ee9f5cb26d584d6a282bb71df33de76419ccec9f9585ee41cad2cb3b1841a680dc9317

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\eaelbmcbhbnfmlgmokomfnaefmfkbcjc\sqlite.js

          Filesize

          1KB

          MD5

          66ea82b9c64fa48392c34fa73e08b7ee

          SHA1

          03812b2c454d2991255649e1bcbf16e4859d3702

          SHA256

          a90c79716a9805f50287b1203b10405aca6c1dde1e75b31a5b59465ee454bd75

          SHA512

          09ec0bbaa424ffbf92a0ca2d0a567d22d5e2a35187f0cf757d142fe09ebd2968f25a2e40db5dc20fc4eb8013830bba2c049406a0ea1ac5349f21d721dada2a3b

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\lj.dat

          Filesize

          6KB

          MD5

          9530daada2cbde234d17f9b1b8bd1c89

          SHA1

          2f29103ddbf4dd7398fc9b6030e923a8c6a37259

          SHA256

          8976c9cf106c2d15c830fb573da96cc1a9ad3b54be3adee3746cce69d85d4fb4

          SHA512

          9e3b1f69183cda5936a819453493769c9baf063cb8162b4ab60908af0dd744f985e5de27497aab92322db59aee6e31446069e6b96b1a32d2b74101c0a6e4e69e

        • C:\Users\Admin\AppData\Local\Temp\7zS54C7.tmp\lj.exe

          Filesize

          334KB

          MD5

          8300c91b40229b42301aebc6d8859907

          SHA1

          0b55e56a6add6b4dd4ceff475a0018a203d02a5a

          SHA256

          f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

          SHA512

          0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f