Analysis

  • max time kernel
    103s
  • max time network
    109s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 17:44

General

  • Target

    JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe

  • Size

    725KB

  • MD5

    1c72aeee1e412e531559c261bfebdc5f

  • SHA1

    9bf4e8fec0ca41437f81b0b12614f26187dfe328

  • SHA256

    4f99ed9890f48b7665470007e5a3d43b9624e190e3e9a2af1a65e8de5b4465b1

  • SHA512

    f5405425f731bd90b0102a195746f4b665e3886327af836217bd6d886d20fdac1a1009bf89a846e3ced10bf48f01a6d18f45c52d155711140ca96006210d76aa

  • SSDEEP

    12288:h1OgLdaOOo99/rsFEt5hDG0SAMs9jR/jeRJKu9TJdwYGZtyjTje5jOSpJh:h1OYdaOOOBsFEt5hDG0SAMs9jR/jaJn6

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c72aeee1e412e531559c261bfebdc5f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe
      .\xcIre.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops Chrome extension
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      • System policy modification
      PID:2408

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\1002107223707559128.log

          Filesize

          6KB

          MD5

          3c54b3cd233e14fca44470ae8ffaf285

          SHA1

          95b6482d1716baee5f1194917897c3c3c1c5c894

          SHA256

          241a920df2ee8460343f78021e26c47a617362b15f6f53a93f8fb49873cdf378

          SHA512

          592899c8191b1f6043e411328b5a97aa4f69606c1f48b6ebea4c64510e56b9ea4da3418d0763e2ec59633de6796d43a0a5c64597487735ebf71fabdf03ed891d

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\5KCB.dll

          Filesize

          222KB

          MD5

          e9b27306a18f18b88945cdf066de2fc9

          SHA1

          4d18490fbb336e261301a967047065dd561cc2f2

          SHA256

          a9880b90d24af3786886306aefe5c79ff3cb2fb7b36ee5fb7bf2af85f240d63c

          SHA512

          f255e8bfb13cfa070b31f47b12a4aacf9ab75a6a8191b6b83740d02c3f007b6d5255a5c2c12bc7b599996742973d2faccb5463d96d16c7aba40e34776823c706

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\5KCB.tlb

          Filesize

          2KB

          MD5

          39d776f73d1d3f771aaa8c3561367c3a

          SHA1

          eef842aa02927bd7fbe7d569c5446ef1a2ea065f

          SHA256

          c2156787eeb818e587529572599fa124773c71330fb93e1c79f4cb9141090941

          SHA512

          3174095accbf422730e60f61523dec01a9a4519cb4642a641c5f547d530ad41f5386d383b90f7daf34f1f36635775929e99d7fe0030aa24cee30f4de8376eeb3

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\bootstrap.js

          Filesize

          2KB

          MD5

          1b53c596cfb1aa2209446ff64c17dabd

          SHA1

          2542da14728dcdbe1763f1ee39fe9ceae38ad414

          SHA256

          a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

          SHA512

          be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\chrome.manifest

          Filesize

          102B

          MD5

          78e8d7bdc6dc9be591c4e23fd0a8d9bb

          SHA1

          c649856d936dcd3c3cbd34d81b4f373fcd17e655

          SHA256

          a3a1d38d5417420561d2b1c954e32eb34cbbb9177720efe06a58af1ef573f5e7

          SHA512

          a97aaec43c761b141e613bbe0caa88021a5450544f59209545e6b624b0b5825d6becd3067eaf746b80553499863cce47cc24fd8b758be468d1575859a018b392

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\content\bg.js

          Filesize

          9KB

          MD5

          a81739ef8ab7f4df5f244a96f067b297

          SHA1

          3900aa599bbe3fe6c9148fe701393aba259dc6f9

          SHA256

          86a26363c40f498e292d07f8fc9c561f493d84dba1c93e1ef645913e885fb11f

          SHA512

          f398ff61ef28b85dadb1c3cae62e3b52746701c73a0c3bf85ff1df9deca3c021596f312d43ac1d680991a5e171202caa76216a8d6fd476ea42ca65b8c065132a

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\[email protected]\install.rdf

          Filesize

          607B

          MD5

          10965b74b4887ef4fba1547cf43749b9

          SHA1

          0f11cd9b94646b53d5ebb6927ae950a3b3da3fb7

          SHA256

          cd531e86d0e910c653771fb7106a63b0ebccd69de22ad2a293b00198daae4f6f

          SHA512

          ad8106086ef03954c739f2012f12bd07cfef556c63acb2ebe2ae1e3b9287234d9270613538140b15e44270c4b08936986c9f1f3ef9174359917727c7c25a3ce2

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\NeRad.js

          Filesize

          5KB

          MD5

          7aa2a7924a17f964afd52a0846b3aa9b

          SHA1

          885e818bc0b11dcd930098d3fdf17ee73bed13a7

          SHA256

          25cc5fd035cdb0df758c59fdef0ea94c5629db5a4def77dbd8875f06eb3b3212

          SHA512

          380f2eb1acb92e855516ff738bef849bff30c06b24c941c28df581397e803e5f285eda6c1becf4e5324e0f5e2a1348e167c87615d8e8f31c8ddd1f02ffa9b42f

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\background.html

          Filesize

          142B

          MD5

          d98b59bdbbb6109eab0af889a803435a

          SHA1

          4602e546ccc638653a3cc6dce5b0b1bb5d288c50

          SHA256

          4e3ffc9a2f4f67d6fbfd6cc7a2223733081f1ec7a53229f9fcbeacb7562d09e5

          SHA512

          2edfbd494329815ab3d6425511a1b23ee3b89ecddfaeeeba08aaa9571c349b98df2dbc1fa52e8235bbcfeb90e692d4ed89fd478ca00b0b778c731e0a49956026

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\content.js

          Filesize

          197B

          MD5

          5f9891607f65f433b0690bae7088b2c1

          SHA1

          b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

          SHA256

          fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

          SHA512

          76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\lsdb.js

          Filesize

          559B

          MD5

          209b7ae0b6d8c3f9687c979d03b08089

          SHA1

          6449f8bff917115eef4e7488fae61942a869200f

          SHA256

          e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

          SHA512

          1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\manifest.json

          Filesize

          505B

          MD5

          26f3f237cbb80b696c82cd97c503f9fd

          SHA1

          79450fadf2e91140b89be29db8a8c75b6bcb2af6

          SHA256

          48206709e3b907f138f7eb3839057bcbd294fa7f970d6237b4afd1e5494e52ee

          SHA512

          f6854ad5dc9badc44f7fceecf52bbf0d4ab7c715edfa1a2fbab6450fd0f7131adfe19debe57fd2a1bcefa2818a86a7ed5b42d8838fa404a5b40a527de51013be

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\mjemnkmlnhoamcpdkkhkmgdjgiddgpjb\sqlite.js

          Filesize

          1KB

          MD5

          24e97e8cc0176c27b83528b1928b197e

          SHA1

          b4e361f8b041c514e6ca88b5e149c2780b0e2f28

          SHA256

          1eff085139bb1abf1187cc24bfb218c430d421472466f670b006ae7cd5726af8

          SHA512

          cd2ec20ce1b6d6ac33f9818941e85f3d79b4d092f8863f58cd73f0fe2e223c88c305b4e96f86770b00c40cfe1cf6a8a75716bbfa6d7874082737decb65ac9cb6

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.dat

          Filesize

          7KB

          MD5

          811dd34c6ef1aaa1b27651d92fb40c4f

          SHA1

          05e4983fdff22406fea6b8616fc0e3eb28a1512a

          SHA256

          5655d1c3fea97b461c165f662f2150f84e24161af0bca6d1babdeb0cca30d346

          SHA512

          f81d448bc5e45c3428efb899e26d77f7a611de026991b9a64b4287e04bf7bd39eaf933d1124343e67ff584a7edfd9e96fffd5ced0ef881c037d7f797e1267cc9

        • C:\Users\Admin\AppData\Local\Temp\7zS7FAF.tmp\xcIre.exe

          Filesize

          334KB

          MD5

          8300c91b40229b42301aebc6d8859907

          SHA1

          0b55e56a6add6b4dd4ceff475a0018a203d02a5a

          SHA256

          f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

          SHA512

          0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f