Analysis

  • max time kernel
    103s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 18:28

General

  • Target

    JaffaCakes118_1c7a8fad9c24033e4e664388918398ea.exe

  • Size

    250KB

  • MD5

    1c7a8fad9c24033e4e664388918398ea

  • SHA1

    d469da8ccd4661abb2539701b814431e9f111767

  • SHA256

    1e21bb6f75dd86ad74e96805af2a32462d401d0c3f28222b43bb9a2e629065fa

  • SHA512

    f78b4dec9d115c4431f928e2fe9018a8fb233c65db9ff40e75adb71d62c48e223c7ebb745e8daae42c9640d83b90109272c718085469ddda78c231cfa5ee2d3f

  • SSDEEP

    6144:h1OgDPdkBAFZWjadD4s5ft6y7qpBka4DtWRXup6iDcYL:h1OgLdaOft6ympn4DtsX2r

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 4 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7a8fad9c24033e4e664388918398ea.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7a8fad9c24033e4e664388918398ea.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\7zS7B3B.tmp\5068ad663b605.exe
      .\5068ad663b605.exe /s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • System policy modification
      PID:844

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Download and Sa\5068ad663b63c.ocx

          Filesize

          151KB

          MD5

          c78c6140cb88ef4dc94f999291bb5ab1

          SHA1

          65b47ed5ec889e0e558c79a13a81193fc59b8ce9

          SHA256

          6cfc7fb43715fb13c53ab2a29b68f3a0a0f285c85d1b1443f2c5e73526646851

          SHA512

          ac8865cb1bec889ba493cad3f4c4bac87bfb2fdb15c518626ffa5f8ac6799a6f5c84f358d3e7d35824d6aba29af46c1078acdf30c3bd93981be61312baf6bd26

        • C:\ProgramData\Download and Sa\uninstall.exe

          Filesize

          48KB

          MD5

          a724dac649142fef71fe4b529684e969

          SHA1

          e2878e84886ec53a1332ad969a825062526b5cd4

          SHA256

          b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc

          SHA512

          9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3

        • C:\Users\Admin\AppData\Local\Temp\7zS7B3B.tmp\[email protected]\bootstrap.js

          Filesize

          2KB

          MD5

          ad6e11d51975d5bc19ee6770c90ad194

          SHA1

          d97e47d79f519394e0e1810a66745ee359506f27

          SHA256

          f94538b2e5e7e30b831f93392d0987a22406a423117d72a06aa4668b6ddfefe8

          SHA512

          123fb841920d5641b68c5a77fde04226cd797a2899f04aecedd1c54b4fbb0d024c6492858439ca5504e83295cc090af9ba0928dd934d23ba874de96ca4f7726e

        • C:\Users\Admin\AppData\Local\Temp\7zS7B3B.tmp\[email protected]\chrome.manifest

          Filesize

          116B

          MD5

          2effd6bb3e0a32e4b890193bce56fd51

          SHA1

          76413142e2db5184ceca088094df1a11ef17342e

          SHA256

          8f5d4ead5e6d5087c91ac3efa6527cd51418a35da5412e4f3e12baa6f17f907c

          SHA512

          71ddc74350bb8175dbb3e179bbfe70b3dabf1426e6aff31c215f63d8e3fcb59c99b0f53b99662c6fae55871e02c53b627447cfd6753df87d7db2b3a19abe387f

        • C:\Users\Admin\AppData\Local\Temp\7zS7B3B.tmp\[email protected]\content\bg.js

          Filesize

          8KB

          MD5

          85f7e9ae4eac40bf2d0981520ab9b9db

          SHA1

          d993a1b9a4624cab2f4f6389b1dcf1b406c39d19

          SHA256

          e9fa5e41bae4e22cb2d80f1229f6f404371ada9c26db4d6cb4f8cfe30f01a731

          SHA512

          a32dca243718da1c2502702826e81fd92dbe922542caf026bf16f9577e96980d04dd33ca8ebe28563b181d6de87d808bf87e0f970751a6d3bd268df9a5bd5ca5

        • C:\Users\Admin\AppData\Local\Temp\7zS7B3B.tmp\[email protected]\content\zy.xul

          Filesize

          225B

          MD5

          076100a7bd0bc5ce27f237f515ff6833

          SHA1

          ac7a26b4189be1bf52665315481a1bc2674a1011

          SHA256

          b66120d6a4f17fdc04b0276e0d79bd587a796570c9f00eb4ea1246221608d195

          SHA512

          bbb6c44fb858e488117bdc4728f3f6ce5f5563682f431a4f93bc749f36ed47fd82c8dc024821277063c97f302450166c26e099ece6e0d89c9b9bc4269a5c670b

        • C:\Users\Admin\AppData\Local\Temp\7zS7B3B.tmp\[email protected]\install.rdf

          Filesize

          718B

          MD5

          a35cf65e67c9c8f50dd6471846aede19

          SHA1

          54bca69c4451e0a9c20d6865428ca83c70d0857d

          SHA256

          935c175ad1165ff15f4e12f8228a00d50f119147d1beb015e1956e5b61eccf50

          SHA512

          a856ff845139cb38a49fb8e4e66033feeb08b5959f72b4d14335c143422c8e7ff582ea2d29ca9307c2186653a1c117b09f24a60b1987d8b0b2d180dfa7dbaae6

        • C:\Users\Admin\AppData\Local\Temp\7zS7B3B.tmp\5068ad663b605.exe

          Filesize

          65KB

          MD5

          4ccf1a317aa8539c857835e4ebe9c806

          SHA1

          223b73d09d7398f40aff3ccc569e66cae3886ee9

          SHA256

          4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242

          SHA512

          ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

        • C:\Users\Admin\AppData\Local\Temp\7zS7B3B.tmp\5068ad663b672.html

          Filesize

          4KB

          MD5

          e162f326915d33d692c1bc12a98390a7

          SHA1

          32de3766d85f2c7c33630a18ba78e4d284138bdb

          SHA256

          ba14b7d3b8cb446fa6d2bcb1452b864a4b8423472d131af6d61eda0b79919b4e

          SHA512

          f6cc76124be560069691fb8358e5af5ed125cb8dd01447a367bc6dc1f8d782e6a9a268a7378992c9540e8d077b5bfa86755b628f84708a213661da52d018b96b

        • C:\Users\Admin\AppData\Local\Temp\7zS7B3B.tmp\5068ad663b6a9.js

          Filesize

          9B

          MD5

          99fa5d714d971a49b67de27e0d8871be

          SHA1

          d0621e846ea60fa8d0b2c8e622e495af49cd7359

          SHA256

          f560d76474380da948a0c5ab8682dc026822d9685268c592f315224b1b968bf6

          SHA512

          2fec19e4f2a974227922a7e057890141523ae73fbfa127f9e8cd00dff71b29abb93cb865c6d74ecf3df8bca440c558d4fbf2f80e82cc9636320ab5edb95ebad5

        • C:\Users\Admin\AppData\Local\Temp\7zS7B3B.tmp\dmfncdppjpblnhlnkindaelnakdngoom.crx

          Filesize

          7KB

          MD5

          c5bd958c4690119c1d290c68987771b4

          SHA1

          a7cf8b450810db4c3965f8fb2bb20ab588b464d0

          SHA256

          0702b9dc29ae15959a84d17593d372fc8e0c3dc69a9101fe0275db4a2cbe3d2b

          SHA512

          c2b569dd5d878737ab8b73d9e703aa5ac105e6cef517c625e54d9a950257401795b43d175c7c53296bcc48b9a88e6761d74789ebbc5fb971f8e6a824b2b62ece

        • C:\Users\Admin\AppData\Local\Temp\7zS7B3B.tmp\settings.ini

          Filesize

          924B

          MD5

          64f1e88f4fa7b4a4805efdaf641fcaea

          SHA1

          2b274fe41ad1f89544cecb75b2333a9e859b8581

          SHA256

          71efa06bf6f7b42b955060e3646010f9ee6f4f58c19fa1f22b5cf860785ab72b

          SHA512

          e48e6bc092ec605e00e925e4de8f67a069d02f7f0fd19341d5206281e72ed8a7887d51daa7c0b99b12afcd9d6976a96335ff1e8620be5a5311a168486c53f408

        • C:\Users\Admin\AppData\Local\Temp\nsq7C45.tmp\UserInfo.dll

          Filesize

          4KB

          MD5

          7579ade7ae1747a31960a228ce02e666

          SHA1

          8ec8571a296737e819dcf86353a43fcf8ec63351

          SHA256

          564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

          SHA512

          a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b