1f1c8dfb60c39dd5bcba9492716ddb12e54945add41d152343138fa0fc4a1551

General

Target

f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe
Size

180KB
MD5

f3ff94cf1192503f4e0e57f9e6fd48ed
SHA1

7dcd385fc651621862a1903be6e75dcda3ccfce5
SHA256

1f1c8dfb60c39dd5bcba9492716ddb12e54945add41d152343138fa0fc4a1551
SHA512

842259699fae7e7cc004e042fb27fa4119b6b592fb4a5a078112784d065bd73a0fd9dd3be4315df0a56b28f5a8977e4af1515d7231784d00e6b483119e36b7dd
SSDEEP

3072:8EbShCZa0OSyHz94UK3SV6Irq77vE/ofldjvpX/rBbiMy:Hb5ZaiyHaUKikIrs7DlddzBbiMy

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-2-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2244-13-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2236-15-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2424-80-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2236-82-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2244-90-0x0000000000270000-0x0000000000370000-memory.dmp	upx
behavioral1/memory/2236-91-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2236-126-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2236-131-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2244	2236	f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe	28
PID 2236 wrote to memory of 2244	2236	f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe	28
PID 2236 wrote to memory of 2244	2236	f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe	28
PID 2236 wrote to memory of 2244	2236	f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe	28
PID 2236 wrote to memory of 2424	2236	f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2424	2236	f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2424	2236	f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2424	2236	f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f3ff94cf1192503f4e0e57f9e6fd48ed_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6AE7.051

Filesize
600B

MD5
183568e52fb5a2d9a88f17aaa43217d4

SHA1
62b18f45f7aae20e220f1a655dacd43b734a0a3d

SHA256
bc67fe0cb7559e1713a906f065bfcd026f5bdf21b85f155c96aee78d2ee538cd

SHA512
3b3b3df1003cff829666d9fb58ab86fe8a0daa401d41bdf1a1d6286f34166369962283e25af1118cd6e90f828bbaddb5a94dc1ea77acee20524520291718a62c

Download Submit
C:\Users\Admin\AppData\Roaming\6AE7.051

Filesize
996B

MD5
5d73a6dd4e40ad5f9284ebf729927c26

SHA1
eb472ca2bf9e5f774dcc56e54890b45fec90a352

SHA256
675a681323815d8729af6acb96fd7fd6b2bdc4b75d89e4a7bb8388c96c37474d

SHA512
7a3f952880c12b9f9df39cd260d3a0696134a2a6b94fcf0ef07529b9e0a9cf3211bc27a184b3fabb720fe9fb12893e13c4fabf39621ce12f1b45d7a5a4716bf9

Download Submit
C:\Users\Admin\AppData\Roaming\6AE7.051

Filesize
1KB

MD5
27fd70dea1d4e231837e16fb9837cb3c

SHA1
25c9da689f3ded3cc4296b61de0721a0cb8f8b96

SHA256
11022a09078f5f2a7dd207be3f00e78fd015494956e68e652187110139864739

SHA512
3f90367df4fe291920d3870fef77e76d67951bec33390c98d15a14c1d3bbd7d9189fc26e64c726b61a8c6449783a7dc71ea6f7f04618e264d33e3a5ec7a6cf40

Download Submit
memory/2236-3-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2236-131-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2236-126-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2236-15-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2236-91-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2236-2-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2236-82-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2236-83-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2244-90-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2244-13-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2244-14-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2424-81-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/2424-80-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads