0f9b427738584fc7f7614e83d4b4bd3ba20c51302b5f8ed8f3615e92de1cdf8e

General

Target

0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
Size

1.1MB
MD5

0fba87d3b94e1f90df22213f00d5ea7e
SHA1

15c7efa94dd69adcf53d54b743549ddb5193f129
SHA256

0f9b427738584fc7f7614e83d4b4bd3ba20c51302b5f8ed8f3615e92de1cdf8e
SHA512

dcfbdd6eacd9fe2490e237a62f9dbb1fada7d1418b711f30f8a1c42b116e634d6ca7e563d6cc213c02a3a04595b0d11d622008fd30d828a0ddb52035d41699b2
SSDEEP

24576:8uPmLDUMihIXCE59yc2Ag2JMH70vvAHzfw4Up6:8u+LIIX7+cFg2JMH70vvA84Up6

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe

Executes dropped EXE 3 IoCs

pid	Process
4548	Isass.exe
4892	Isass.exe
4508	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4280	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
4280	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
4548	Isass.exe
4548	Isass.exe
4892	Isass.exe
4892	Isass.exe
4892	Isass.exe
4892	Isass.exe
4892	Isass.exe
4892	Isass.exe
4168	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
4168	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
4508	Isass.exe
4508	Isass.exe
4508	Isass.exe
4508	Isass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4548	4280	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	86
PID 4280 wrote to memory of 4548	4280	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	86
PID 4280 wrote to memory of 4548	4280	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	86
PID 4280 wrote to memory of 4892	4280	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	89
PID 4280 wrote to memory of 4892	4280	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	89
PID 4280 wrote to memory of 4892	4280	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	89
PID 4892 wrote to memory of 4168	4892	Isass.exe	91
PID 4892 wrote to memory of 4168	4892	Isass.exe	91
PID 4892 wrote to memory of 4168	4892	Isass.exe	91
PID 4168 wrote to memory of 4508	4168	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	92
PID 4168 wrote to memory of 4508	4168	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	92
PID 4168 wrote to memory of 4508	4168	0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4548
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe

Filesize
523KB

MD5
0e59026a169fbebd4a88ff793c706b99

SHA1
b8334fc382ee174fe0b0f32f0bfbc5975e21e3c8

SHA256
7902034a4a3bf6a71063168b16f1b1a274b9c055a0304cd112581bab4e6cf4d7

SHA512
eb886659c48ec8cb8cb2ac5bccf9c2a7dc10530e8939282276bdd955d2756cc5fddcc155307d1487c571fd7aba79fc81e82c05dd206e097861aec51fedb7f9ae

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
624KB

MD5
dae4bbef37deb0c26ec121430f81ee25

SHA1
df3be42781e6b3ccfdb2987114003076fc675a87

SHA256
8a5e9f6d5820622955ed70e5b88ab82ce3919cbf22d2178ac9232482c435e896

SHA512
b54cdf0814312609b5d7f6e69e3b2ddd7a7e4fddef1dd73a36e3d8a4ae3b3bfb6436699b2cc0b8f7efecfe2ea4295d548911f384402c65721e117828e8bc3c96

Download Submit
C:\odt\office2016setup.exe

Filesize
5.7MB

MD5
014b15f2c16747693bdd751526ab51a3

SHA1
caff72e62431c34b00aee3fe8c4a555209d5d05f

SHA256
eca6ce0b4dc84f56bbd904ee687909789ac3b0e033600a1ba0da484b5649c0b5

SHA512
2d445ec624d4a0c38a85037b19f00f1fd6ef9ecbfb2ce8e4c1d8a2fdcbc504578f595ac1ee709764ecec6a7c47acbbe0366a5877fe0b209f83796c87039145b7

Download Submit
memory/4168-10-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4168-12-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4280-0-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/4280-7-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4508-23-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4508-13-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/4548-42-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-60-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-24-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-27-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-31-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-82-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-35-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-36-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-41-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-5-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4548-51-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-52-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-59-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-73-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4548-72-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4892-9-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4892-8-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads