e00944f0f776f689f24f4940d5a676f6d5344bbe6775296af6e9b90945b4ba22

General

Target

f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
Size

1.6MB
MD5

f43e01bdd7ffa5c1b023e9add7085a8b
SHA1

b279c4ceb6e62f5f01f0a033f2733771ed159223
SHA256

e00944f0f776f689f24f4940d5a676f6d5344bbe6775296af6e9b90945b4ba22
SHA512

cb6fe849f1a368d228c19f1704c5a55ce0ead415464b8850b00480629a218f1402cd71e56372f88562a1ccfa301d3fc0187c00cd10e383f6f7098ac88b6edd61
SSDEEP

49152:UMfm9EugiVrTvTW3+t3fXxsIKPq8fTsEri:UBqLwvhs5PrW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1928	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
1928	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
2520	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
2520	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2520	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2520	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2520	1928	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2520	1928	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2520	1928	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2520	1928	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2520	1928	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2520	1928	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2520	1928	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_14e81200"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
1da473a20bfe79339f2de6b912017446

SHA1
f6da0c6ec193c817ea8af19dad085d38a5eb5195

SHA256
71128235924a5197a04de1dea33bc732a8711a3919763ed814bad79482bb8291

SHA512
5b1f49fb8c07b7c3f42ee7cd0745b8b255c05f84ad1b895abdb6c89a2f842617f0a7ad40c42892e5eb1eae9fbef9b08dd6be3cd29100d45d322105581eba1426

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_14e81200\autorun.txt

Filesize
79B

MD5
6edd66b7e2edba93d32c5e905468f606

SHA1
8f5619b8bdb9697e9aab88d8bc7372667cdd70d1

SHA256
9a7d11e66934cf76fa796992ce4d67c823e46fc689a9425f928f16ed61b167b0

SHA512
4b7fcf2c2a9ab7941409882ffdcf3c5d07e1b30065cd5b2ee5bbdb45c67d59643d1289632f63cd937bb17af8f8cf13afa65275986d8d44407803793666246d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_14e81200\wrapper.xml

Filesize
766B

MD5
7df4b6db3fbbd712d68509779b2ed8fb

SHA1
45567d458538587b85ac1dc399d66e5a56e77238

SHA256
357da15a7e543cf183942d2e0e125d8814dd2bdb225ac5fe7d1fae0601b4473b

SHA512
6af8c86f81a07b5b7ea61bd11b64d3af1d92edddf80bd8ff28bd3d299cca86e8fc6007bb1c7be963715b439a16254136cba9aa9afb09ccca05eb111420c64c4f

Download Submit

Analysis

Sharing