169e820ce83b74aa44f531763354fc30504dc12075371299acafd48ecfbbe59b

General

Target

ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe
Size

1.4MB
MD5

ed4594190b0aca216f1251f337d970e8
SHA1

b01db5076a7de62ccffc8702840ddd0d00afe8dd
SHA256

169e820ce83b74aa44f531763354fc30504dc12075371299acafd48ecfbbe59b
SHA512

f3bbd76cd798a778f3681493ad2f942bf5f79842c80a05381c3bb535c267ae03ad8697132dab10e97321ee9e5c7d8fe85a9e9a807656370382dddc346b648d1a
SSDEEP

24576:8uPmLDUMihIXCE5gpJE4VDd+ufFQ2V9GWXaxBDeOspRnMF+Hcx6ua:8u+LIIX7qJE4VBz+WX8WyF+H/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3032	Isass.exe
1304	Isass.exe
2660	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe

Loads dropped DLL 8 IoCs

pid	Process
3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe
3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe
3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe
3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe
1304	Isass.exe
3032	Isass.exe
3032	Isass.exe
3032	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe
3032	Isass.exe
1304	Isass.exe
1304	Isass.exe
1304	Isass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3032	3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe	28
PID 3000 wrote to memory of 3032	3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe	28
PID 3000 wrote to memory of 3032	3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe	28
PID 3000 wrote to memory of 3032	3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1304	3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe	29
PID 3000 wrote to memory of 1304	3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe	29
PID 3000 wrote to memory of 1304	3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe	29
PID 3000 wrote to memory of 1304	3000	ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe	29
PID 1304 wrote to memory of 2660	1304	Isass.exe	30
PID 1304 wrote to memory of 2660	1304	Isass.exe	30
PID 1304 wrote to memory of 2660	1304	Isass.exe	30
PID 1304 wrote to memory of 2660	1304	Isass.exe	30

C:\Users\Admin\AppData\Local\Temp\ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ed4594190b0aca216f1251f337d970e8_JaffaCakes118.exe

Filesize
794KB

MD5
c6d0721e9156eb2a40a04bb38be0b2a5

SHA1
d0a3fcb3ad9f227a02d30abb767883b42fecc3a7

SHA256
2435e1e50c097608e6157efb1036946cfdd02d86728e8e00a02b207bee36e60d

SHA512
e254db10a7cffc4fe8c2d126dc4eb5029a84b2a931a67ad9ebfd04a8f3417e42a7dfb2e76d8911b2540bcf9eff9cbf92708b158dd8f53dbcbe7be51682ac3ad4

Download Submit
\Users\Public\Microsoft Build\Isass.exe

Filesize
624KB

MD5
2f9e640bff6546b2bd2d47d5ad5e13ed

SHA1
7c795427b4c73d1ca8b5ea6fb9d89cd3371bf136

SHA256
b1aec466454e516a17cebc84062e67b82ff92364488e37df8b4e7d2bab6563d4

SHA512
eef609e69ff10c8d7ede1439940d603079af2532b13222ee31beb85f149a8ee5b90deca24e16d23e5ec59524bfa2324ace0ab6f07e9a06e4c5074be7795c71c9

Download Submit
memory/1304-15-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1304-22-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3000-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/3000-13-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-37-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-47-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-29-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-30-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-10-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/3032-38-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-46-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-26-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-53-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-54-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-63-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-64-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-76-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-77-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3032-88-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads