51b4e69183f3d02124f3314cc64a7869425f053d8021c74c12f21d7c2afe2163

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Size

681KB
MD5

1a874e5ecd67dffab45e17e9b730daed
SHA1

8aa9f5d426428ec360229f4cb9f722388f0e535c
SHA256

51b4e69183f3d02124f3314cc64a7869425f053d8021c74c12f21d7c2afe2163
SHA512

0a20b6f3c3816c021d4e5c8e31e1dcf6aa41e511f834ea32a760163006e658acda71704306e0b902a27856ea10401e52bab6a0e44a63ec1db2349747b710ef49
SSDEEP

6144:Jn+EelAZ9fPaGwMILw+xotaLZ1u4IE9Kk/JPXoOgpqm1P:xe6TfPaGw/w+xoWW459KkpXoOz

Score

7^/10

collection discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

libcfg.exe

pid process

2936 libcfg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2936	libcfg.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\W:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\R:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\L:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\J:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\O:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\P:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\Z:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\K:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\I:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\H:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\V:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\S:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\Y:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\E:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\U:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\T:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\Q:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\N:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\X:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\G:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\M:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\sqlapi.exe	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sqlapi.exe	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\libcfg.exe	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\libcfg.exe	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

pid	process
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

description	pid	process	target process
PID 1976 wrote to memory of 2936	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe	libcfg.exe
PID 1976 wrote to memory of 2936	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe	libcfg.exe
PID 1976 wrote to memory of 2936	1976	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe	libcfg.exe

outlook_win_path 1 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1976

C:\Windows\SysWOW64\libcfg.exe
C:\Windows\SysWOW64\libcfg.exe /combine local system
2⤵
- Executes dropped EXE
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmspc.exe
Filesize
5KB

MD5
b59199877e0d68a5e93fc8ea76374ed1

SHA1
7803f160af428bcfb4b9ea2aba07886f232cde4e

SHA256
5b50e26a01b320f05d66727e9d220d5858cdac203ff62e4b9ced1cafc2683637

SHA512
9815ee218c7f737ef662f5fb44844ec17c6b9552e0432f2f8c60aded2fa19bb8157ec0839046ac387f604672137c417a98a8181440869316209a70a9d0e6a210

Download Submit
C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-FFFFFFFF80156501}.pol
Filesize
4B

MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Windows\SysWOW64\libcfg.exe
Filesize
1.3MB

MD5
06788d388dd52a3a2b86040fa6a2ac4e

SHA1
a4bd112354242316d7c9e46cc6c3f5ff31bcc222

SHA256
a140e69a8058e2583fd884f771b5a175e15f3ae4b35eeef4759400035ea41d8c

SHA512
0e1491e6d92eba9b7b66b1c29adb8165f703780afbf1dc5c4c81f3a2da785a61abf64fe0ea80ed079eb74babc936e183f2d33340419bbb3bfcd112f322fad95f

Download Submit
memory/1976-0-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/1976-1-0x00000000025D0000-0x000000000262C000-memory.dmp

Filesize
368KB

Download
memory/1976-3-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/1976-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-21-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/1976-68-0x00000000025D0000-0x000000000262C000-memory.dmp

Filesize
368KB

Download
memory/1976-69-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download