25e18661b8dea30aed85dcda9c01f40df5e02321020d59f795e91854b5e2b784

General

Target

e92f62838739f61ab5487e9af5eaf650_JaffaCakes118.exe
Size

1.3MB
MD5

e92f62838739f61ab5487e9af5eaf650
SHA1

cdf5529e2383db2fd900263fd7b58d42d76bf0e4
SHA256

25e18661b8dea30aed85dcda9c01f40df5e02321020d59f795e91854b5e2b784
SHA512

2edd7d4feeecf3119976c322977ef262568df9e0d639282b4aadc38fbff6d16b629b0b16c26e11e3889288ae183bc4a3277a410d9818261f4671a5bcb0daff68
SSDEEP

24576:/z85lu2NCnUosCbl+qbUmf4C2GX0sDzsLPp8BCfL/Uj3+:L85lu2N+UosCbDLeGzz08BCfLMD

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	e92f62838739f61ab5487e9af5eaf650_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
5100	BrowserPasswordDecryptor.exe
4968	Send.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4416	taskkill.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
792	PING.EXE
876	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	BrowserPasswordDecryptor.exe
Token: SeDebugPrivilege	4416	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5100	BrowserPasswordDecryptor.exe
5100	BrowserPasswordDecryptor.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 4444	3976	e92f62838739f61ab5487e9af5eaf650_JaffaCakes118.exe	94
PID 3976 wrote to memory of 4444	3976	e92f62838739f61ab5487e9af5eaf650_JaffaCakes118.exe	94
PID 3976 wrote to memory of 4444	3976	e92f62838739f61ab5487e9af5eaf650_JaffaCakes118.exe	94
PID 4444 wrote to memory of 5100	4444	cmd.exe	98
PID 4444 wrote to memory of 5100	4444	cmd.exe	98
PID 4444 wrote to memory of 5100	4444	cmd.exe	98
PID 4444 wrote to memory of 792	4444	cmd.exe	99
PID 4444 wrote to memory of 792	4444	cmd.exe	99
PID 4444 wrote to memory of 792	4444	cmd.exe	99
PID 4444 wrote to memory of 4968	4444	cmd.exe	107
PID 4444 wrote to memory of 4968	4444	cmd.exe	107
PID 4444 wrote to memory of 4968	4444	cmd.exe	107
PID 4444 wrote to memory of 876	4444	cmd.exe	108
PID 4444 wrote to memory of 876	4444	cmd.exe	108
PID 4444 wrote to memory of 876	4444	cmd.exe	108
PID 4444 wrote to memory of 4416	4444	cmd.exe	109
PID 4444 wrote to memory of 4416	4444	cmd.exe	109
PID 4444 wrote to memory of 4416	4444	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\e92f62838739f61ab5487e9af5eaf650_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e92f62838739f61ab5487e9af5eaf650_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\683F.tmp\LOL.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\BrowserPasswordDecryptor.exe
    BrowserPasswordDecryptor.exe /pass.txt
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5100
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 15 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:792
- - C:\Users\Admin\AppData\Local\Temp\Send.exe
    Send.exe
    3⤵
    - Executes dropped EXE
    PID:4968
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Send.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
1⤵
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\683F.tmp\LOL.bat

Filesize
211B

MD5
b2d5c2cc9fc90bb0532b8c349e780be7

SHA1
bcf6b39b77c2db34903f6a0a70919ddf7751ea7a

SHA256
81d05b3fec6a83eb0a6c79b7357cab3a50b05524174915616fad405c9af3c0bd

SHA512
b7cb2760ff9a15957ba465fb2c32f4e4b5069e6bb1824ff09fa0bb418fb6588a8e162b115ca1a0fd4c46a355a4695563acd0eaa3c06de5966f48631aec55e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserPasswordDecryptor.exe

Filesize
2.9MB

MD5
57c2ded922d5760c92bb16b012a3e3da

SHA1
d0000371dd89252605dc9cdce89cb23b7020674d

SHA256
cb5341eac0476a4c2b64a5fe6b8eb8c5b01b4de747524208c303aba6825aef1d

SHA512
eb50718d0ed5bc864680ef180804d413d8d0af03e95f9c01a3eb06d390b7c2c3d20a6423b2d144416ff3690a9fdb98a6f65192904d90e12a912f53d01bdbd6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Send.exe

Filesize
483KB

MD5
094473d12363c10aa862a421eea58afc

SHA1
2d5d3a70a8e7a93d52af8e82b934f47937a31a45

SHA256
6f78843f212e16ea0a8236b98c51b44d277ad2ee66e9a4f6a4becac0b0068ccd

SHA512
7e68a0cefed6589ca3b4368c8cc35f2141647c5a090530c8432059e6281414774775f0e8530700b946513cc4f1c729d59b8d4b08497c90c9595c3dc64f6e18c1

Download Submit
C:\pass.txt

Filesize
552B

MD5
018c76f717ce38df663f621515222ddf

SHA1
4049e18b63ef9366dfdca2b6d21a95b17e10c850

SHA256
355b9a6690917f6293639f5e66848c87a63305c56846230387c6210d97c330ff

SHA512
66bd892fd3f013183136965686267c3727daa08445c09f37affb5bea1e7591f20f3c2ff9de9d2e19db64a0726b855c894e930923491d548c2081721001355662

Download Submit
memory/3976-0-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/3976-1-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/3976-17-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/3976-24-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/4968-21-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/4968-22-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing