0f9b427738584fc7f7614e83d4b4bd3ba20c51302b5f8ed8f3615e92de1cdf8e

General

Target

0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
Size

1.1MB
MD5

0fba87d3b94e1f90df22213f00d5ea7e
SHA1

15c7efa94dd69adcf53d54b743549ddb5193f129
SHA256

0f9b427738584fc7f7614e83d4b4bd3ba20c51302b5f8ed8f3615e92de1cdf8e
SHA512

dcfbdd6eacd9fe2490e237a62f9dbb1fada7d1418b711f30f8a1c42b116e634d6ca7e563d6cc213c02a3a04595b0d11d622008fd30d828a0ddb52035d41699b2
SSDEEP

24576:8uPmLDUMihIXCE59yc2Ag2JMH70vvAHzfw4Up6:8u+LIIX7+cFg2JMH70vvA84Up6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2828	Isass.exe
2532	Isass.exe
2720	Isass.exe
2748	Isass.exe

Loads dropped DLL 8 IoCs

pid	Process
2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
2640	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
2640	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
2724	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
2724	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
2828	Isass.exe
2532	Isass.exe
2532	Isass.exe
2532	Isass.exe
2640	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
2720	Isass.exe
2720	Isass.exe
2720	Isass.exe
2724	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
2748	Isass.exe
2748	Isass.exe
2748	Isass.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2828	2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2828	2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2828	2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2828	2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2532	2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	29
PID 2196 wrote to memory of 2532	2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	29
PID 2196 wrote to memory of 2532	2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	29
PID 2196 wrote to memory of 2532	2196	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2640	2532	Isass.exe	30
PID 2532 wrote to memory of 2640	2532	Isass.exe	30
PID 2532 wrote to memory of 2640	2532	Isass.exe	30
PID 2532 wrote to memory of 2640	2532	Isass.exe	30
PID 2640 wrote to memory of 2720	2640	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2720	2640	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2720	2640	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2720	2640	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2724	2720	Isass.exe	32
PID 2720 wrote to memory of 2724	2720	Isass.exe	32
PID 2720 wrote to memory of 2724	2720	Isass.exe	32
PID 2720 wrote to memory of 2724	2720	Isass.exe	32
PID 2724 wrote to memory of 2748	2724	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	33
PID 2724 wrote to memory of 2748	2724	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	33
PID 2724 wrote to memory of 2748	2724	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	33
PID 2724 wrote to memory of 2748	2724	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe"
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe

Filesize
523KB

MD5
0e59026a169fbebd4a88ff793c706b99

SHA1
b8334fc382ee174fe0b0f32f0bfbc5975e21e3c8

SHA256
7902034a4a3bf6a71063168b16f1b1a274b9c055a0304cd112581bab4e6cf4d7

SHA512
eb886659c48ec8cb8cb2ac5bccf9c2a7dc10530e8939282276bdd955d2756cc5fddcc155307d1487c571fd7aba79fc81e82c05dd206e097861aec51fedb7f9ae

Download Submit
\Users\Public\Microsoft Build\Isass.exe

Filesize
624KB

MD5
dae4bbef37deb0c26ec121430f81ee25

SHA1
df3be42781e6b3ccfdb2987114003076fc675a87

SHA256
8a5e9f6d5820622955ed70e5b88ab82ce3919cbf22d2178ac9232482c435e896

SHA512
b54cdf0814312609b5d7f6e69e3b2ddd7a7e4fddef1dd73a36e3d8a4ae3b3bfb6436699b2cc0b8f7efecfe2ea4295d548911f384402c65721e117828e8bc3c96

Download Submit
memory/2196-13-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2196-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2532-16-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2532-15-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2640-17-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2640-20-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2720-22-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2720-23-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2724-28-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2724-24-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2748-29-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2748-33-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-34-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-61-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-38-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-45-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-46-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-54-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-55-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-37-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-62-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-10-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2828-70-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-71-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-82-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-83-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2828-95-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads