6b40d28502a2b197934f8bfbbf30f9281b5d9f92acfadf3ce421a10e7d1f692c

General

Target

f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
Size

354KB
MD5

f710a2d33d63a764233266d1956513c0
SHA1

b69fea2fd572b9726fd49c6e62c5b4c4a7c2d675
SHA256

6b40d28502a2b197934f8bfbbf30f9281b5d9f92acfadf3ce421a10e7d1f692c
SHA512

74f1c0f71cad9f4695f07c989d703efc3bd895a33a9e436e285d78a69e1b377b6c4c9c8e617b1d43f289766a48dbd54a862aa058d57e626fcfe909f574a12f73
SSDEEP

6144:wx3yO8R7r6mKkVrlBmUhruSHN+KTFHs0WcnGcDTuglLfJkhsmRi9wQ:wIOunPjBdCMN+KTps0FG0uglLfJQsmR

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\msiaxz32.dll	acprotect

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2460 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2460	rundll32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/652-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/652-1-0x0000000000400000-0x0000000000468000-memory.dmp	upx
C:\Windows\SysWOW64\msiaxz32.dll	upx
behavioral2/memory/2460-10-0x0000000010000000-0x0000000010087000-memory.dmp	upx
behavioral2/memory/2460-15-0x0000000010000000-0x0000000010087000-memory.dmp	upx
behavioral2/memory/2460-22-0x0000000010000000-0x0000000010087000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msiaxz32.dll,EmYMsld"	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msiaxz32.dll	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msiaxz32.dll	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1784 652 WerFault.exe f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe

pid	pid_target	process	target process
1784	652	WerFault.exe	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe

pid	process
652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f710a2d33d63a764233266d1956513c0_JaffaCakes118.exerundll32.exe

description	pid	process	target process
PID 652 wrote to memory of 2460	652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe	rundll32.exe
PID 652 wrote to memory of 2460	652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe	rundll32.exe
PID 652 wrote to memory of 2460	652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe	rundll32.exe
PID 652 wrote to memory of 4392	652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe	msedge.exe
PID 652 wrote to memory of 4392	652	f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe	msedge.exe
PID 2460 wrote to memory of 4392	2460	rundll32.exe	msedge.exe
PID 2460 wrote to memory of 4392	2460	rundll32.exe	msedge.exe
PID 2460 wrote to memory of 4392	2460	rundll32.exe	msedge.exe
PID 2460 wrote to memory of 4392	2460	rundll32.exe	msedge.exe
PID 2460 wrote to memory of 4392	2460	rundll32.exe	msedge.exe
PID 2460 wrote to memory of 4392	2460	rundll32.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
2⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe msiaxz32.dll,EmYMsld
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 692
2⤵
- Program crash
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 652 -ip 652
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msiaxz32.dll
Filesize
176KB

MD5
ce7d70fee773b5060dfadae59ee44c50

SHA1
72d1b5169a317d379cefcf6dd81532b55c84d0ba

SHA256
819711654751fa54b36659d79214f4a1c43b7886b4e122f68c2133b4f4128dcf

SHA512
1fdb02fbf85a3c1e01b4406889736bbc02d776c46252c4db2606010209f7a4adf39344ace733c9ca5d06a188c8235350d1d0f68e3e818c1864ed883288b9da44

Download Submit
memory/652-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/652-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/652-2-0x00000000021B0000-0x000000000220A000-memory.dmp

Filesize
360KB

Download
memory/652-6-0x00000000028E0000-0x0000000002967000-memory.dmp

Filesize
540KB

Download
memory/652-5-0x00000000028E0000-0x0000000002967000-memory.dmp

Filesize
540KB

Download
memory/652-4-0x00000000028E0000-0x0000000002967000-memory.dmp

Filesize
540KB

Download
memory/652-14-0x00000000021B0000-0x000000000220A000-memory.dmp

Filesize
360KB

Download
memory/652-12-0x00000000028E0000-0x0000000002967000-memory.dmp

Filesize
540KB

Download
memory/2460-10-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2460-15-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2460-22-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads