a6d2459e454472e4005e2ef23b943d90ab64e46ab0ca6e1735617059c60bfe00

General

Target

f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
Size

4.2MB
MD5

f83a20f718d2b719452e9554e7bfd047
SHA1

2980fb923fe8609924194a6eacd701b7f9bcb373
SHA256

a6d2459e454472e4005e2ef23b943d90ab64e46ab0ca6e1735617059c60bfe00
SHA512

2ea6802430ff3c0de84556ad43e9f6a9062b9c9bd254e75efa1a547fb56807e0333a5fec7892d884206045c9db9880cd9df91ead4be373157ef153d03cd80745
SSDEEP

98304:/7zvc7Vd6JvVzBPeZH7V2dp03aGOSic+uDbysEhWNR+Yi9xOnBN9xrAHEn16zoCR:/7w7EreSNSPyAnBN9xl16zoCHOo

Score

9^/10

collection persistence spyware stealer upx

Malware Config

Signatures

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2688-36-0x0000000000400000-0x000000000041D000-memory.dmp	MailPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4908-18-0x0000000000400000-0x0000000000416000-memory.dmp	Nirsoft
behavioral2/memory/748-24-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/2232-30-0x0000000000400000-0x000000000041A000-memory.dmp	Nirsoft
behavioral2/memory/2688-36-0x0000000000400000-0x000000000041D000-memory.dmp	Nirsoft
behavioral2/memory/2584-42-0x0000000000400000-0x0000000000425000-memory.dmp	Nirsoft
behavioral2/memory/2112-47-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft
C:\Windows\res\outlook.exe	Nirsoft

Executes dropped EXE 7 IoCs

Processes:

desktop.exefox.exeie.exemail.exemsn.exenet.exeoutlook.exe

pid process

4908 desktop.exe
748 fox.exe
2232 ie.exe
2688 mail.exe
2584 msn.exe
2112 net.exe
4484 outlook.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4908	desktop.exe
748	fox.exe
2232	ie.exe
2688	mail.exe
2584	msn.exe
2112	net.exe
4484	outlook.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1744-0-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
C:\Windows\res\desktop.exe	upx
behavioral2/memory/4908-16-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4908-18-0x0000000000400000-0x0000000000416000-memory.dmp	upx
C:\Windows\res\fox.exe	upx
behavioral2/memory/748-22-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/748-24-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Windows\res\ie.exe	upx
behavioral2/memory/2232-27-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2232-30-0x0000000000400000-0x000000000041A000-memory.dmp	upx
C:\Windows\res\mail.exe	upx
behavioral2/memory/2688-34-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2688-36-0x0000000000400000-0x000000000041D000-memory.dmp	upx
C:\Windows\res\msn.exe	upx
behavioral2/memory/2584-39-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/2584-42-0x0000000000400000-0x0000000000425000-memory.dmp	upx
C:\Windows\res\net.exe	upx
behavioral2/memory/2112-47-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1744-48-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-54-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-56-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-57-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-58-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-59-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-60-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-61-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-62-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-63-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-64-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-65-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-66-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-67-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx
behavioral2/memory/1744-68-0x0000000000400000-0x0000000000CBA000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

mail.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mail.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\msnmsgr.exe"	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe

Drops file in Windows directory 17 IoCs

Processes:

outlook.exef83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exedesktop.exeie.exemail.exemsn.exefox.exenet.exe

description	ioc	process
File created	C:\WINDOWS\res\outlook.html	outlook.exe
File created	C:\WINDOWS\res\mail.exe	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
File created	C:\WINDOWS\res\desktop.html	desktop.exe
File created	C:\WINDOWS\res\ie.html	ie.exe
File created	C:\WINDOWS\res\mail.html	mail.exe
File created	C:\WINDOWS\res\msn.html	msn.exe
File created	C:\WINDOWS\res\fox.html	fox.exe
File created	C:\WINDOWS\res\ie.exe	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
File created	C:\WINDOWS\res\msn.exe	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
File created	C:\WINDOWS\res\net.exe	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
File created	C:\WINDOWS\msnmsgr.exe	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\msnmsgr.exe	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
File created	C:\WINDOWS\usbb.txt	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
File created	C:\WINDOWS\res\desktop.exe	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
File created	C:\WINDOWS\res\fox.exe	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
File created	C:\WINDOWS\res\outlook.exe	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
File created	C:\WINDOWS\res\net.html	net.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msn.exe

pid process

2584 msn.exe
2584 msn.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe

pid process

1744 f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe

pid	process
2584	msn.exe
2584	msn.exe

pid	process
1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ie.exemsn.exenet.exe

description	pid	process
Token: SeDebugPrivilege	2232	ie.exe
Token: SeRestorePrivilege	2232	ie.exe
Token: SeBackupPrivilege	2232	ie.exe
Token: SeDebugPrivilege	2584	msn.exe
Token: SeDebugPrivilege	2112	net.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe

description	pid	process	target process
PID 1744 wrote to memory of 4908	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	desktop.exe
PID 1744 wrote to memory of 4908	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	desktop.exe
PID 1744 wrote to memory of 4908	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	desktop.exe
PID 1744 wrote to memory of 748	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	fox.exe
PID 1744 wrote to memory of 748	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	fox.exe
PID 1744 wrote to memory of 748	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	fox.exe
PID 1744 wrote to memory of 2232	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	ie.exe
PID 1744 wrote to memory of 2232	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	ie.exe
PID 1744 wrote to memory of 2232	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	ie.exe
PID 1744 wrote to memory of 2688	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	mail.exe
PID 1744 wrote to memory of 2688	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	mail.exe
PID 1744 wrote to memory of 2688	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	mail.exe
PID 1744 wrote to memory of 2584	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	msn.exe
PID 1744 wrote to memory of 2584	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	msn.exe
PID 1744 wrote to memory of 2584	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	msn.exe
PID 1744 wrote to memory of 2112	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	net.exe
PID 1744 wrote to memory of 2112	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	net.exe
PID 1744 wrote to memory of 2112	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	net.exe
PID 1744 wrote to memory of 4484	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	outlook.exe
PID 1744 wrote to memory of 4484	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	outlook.exe
PID 1744 wrote to memory of 4484	1744	f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe	outlook.exe

C:\Users\Admin\AppData\Local\Temp\f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f83a20f718d2b719452e9554e7bfd047_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1744

C:\WINDOWS\res\desktop.exe
C:\WINDOWS\res\desktop.exe /shtml C:\WINDOWS\res\desktop.html
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4908

C:\WINDOWS\res\fox.exe
C:\WINDOWS\res\fox.exe /shtml C:\WINDOWS\res\fox.html
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:748

C:\WINDOWS\res\ie.exe
C:\WINDOWS\res\ie.exe /shtml C:\WINDOWS\res\ie.html
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\WINDOWS\res\mail.exe
C:\WINDOWS\res\mail.exe /shtml C:\WINDOWS\res\mail.html
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Drops file in Windows directory
PID:2688

C:\WINDOWS\res\msn.exe
C:\WINDOWS\res\msn.exe /shtml C:\WINDOWS\res\msn.html
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\WINDOWS\res\net.exe
C:\WINDOWS\res\net.exe /shtml C:\WINDOWS\res\net.html
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\WINDOWS\res\outlook.exe
C:\WINDOWS\res\outlook.exe /shtml C:\WINDOWS\res\outlook.html
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\res\desktop.exe
Filesize
32KB

MD5
f3ca95a762a4101a2cd5789190681a78

SHA1
cac61068382b93ee63dc06324e501ddc71ac65ef

SHA256
460fc0ae9b29b61d7a147b599eb02b70ea6a830df0f5cd16a317a95e466513c0

SHA512
d33d62c0f5b65bbfd55c6a4281bff60980f3e335c3a4ff802dd8ac92cc417785f3a3d82607dbfd542222ce40ff1a45c8c3c9ac46e3543cd4f5af94527dace2b5

Download Submit
C:\Windows\res\fox.exe
Filesize
36KB

MD5
824461ef7a4428414e80cf6a190f7da8

SHA1
64620436a853011f3d5c435c09a30e98a421861e

SHA256
4a21cfc6ac4924eb04ed112f3dc7dd20aac69c31c6765c541753b1088a490792

SHA512
47cc0cbbe6c2fe6518837dfa6bd6b783edc50744115976187c664741ca78ff3ded14cc492b8b4e0580b9adfb150fe92e8860334d579cf230cf133ee613275ebe

Download Submit
C:\Windows\res\ie.exe
Filesize
41KB

MD5
49333f7d3b73e3a1da1d78705cdcabaf

SHA1
0732866cfc27067d6b9cb396d56ee45f2415c5b6

SHA256
d524a4c880ef7e8bc294bd76e7c561fcc26728d0f6dab3d14c3d4e1f9e935688

SHA512
5a7bd6302667f88a098be298f96fb3b58df9f36387f0d6187e20df1c0fd28dadd03a61def7228fd37af17e03442d35431f9b887af2ca8ecc1bd42c554d464773

Download Submit
C:\Windows\res\mail.exe
Filesize
46KB

MD5
e2943d11cb273e988919319522c3ad50

SHA1
9eab03f451b5b83ae91d0c052cbb5c19e8976129

SHA256
03c620c30deea40eaff3f2a5e1905531640179202faecaa3e1e4095dfb14cfbf

SHA512
975b87c66df13e203ef4a22d772f59f1cc0191609aad503ddaaa0b18039e614592a0c36d7b90573ec6bf34e1bfdf840db81ba506d86a9cc997f3b2bf65016cda

Download Submit
C:\Windows\res\msn.exe
Filesize
62KB

MD5
cd5a98ad3d2890a9fc45c15b4f2cec01

SHA1
bc384b29bc644e6b1a63bb0c98b9920275143b09

SHA256
587998e0097719672cc20a6db12d71fc2b79f2aa7ac1e52089e3d9850e38e53b

SHA512
7d99bbcc4471cbebbf117f49f2b575a33c1f1d292e353e01d3441dc83c817cc240ec68821e5d4c8b4f37f782be11eeeec39dd2510951a1852776c557f6cb8e60

Download Submit
C:\Windows\res\net.exe
Filesize
39KB

MD5
634faad6c5f06dbb88a40cbe91f9cd10

SHA1
e41d2e0cc3f5b7dbea61c1c741db5fdf28443db7

SHA256
9767b5309b3c602797585c0c7b32560c1682114b2bc502ddfe0b4530cc67d110

SHA512
18863145afca6c140e8399109f43d0eb05e49a0ea705b6af6b8f4e6976d17cccc58672ffb6243dc9505782d8be5931db0ed55548774f910c368a9e850cb6eabe

Download Submit
C:\Windows\res\outlook.exe
Filesize
51KB

MD5
35861f4ea9a8ecb6c357bdb91b7df804

SHA1
836cb49c8d08d5e305ab8976f653b97f1edba245

SHA256
64788b6f74875aed53ca80669b06f407e132d7be49586925dbb3dcde56cbca9c

SHA512
0fdfe62c86c8601bb98991149eea51ddf91b812ad2c2d45e53aaf1f36a09d00aaf02fc3d183179cf5367fda09d6f62d36c0187da2dfa5e08df4c07cf634690be

Download Submit
memory/748-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/748-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1744-61-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-56-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-54-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-2-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1744-55-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1744-68-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-1-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1744-67-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-62-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-0-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-64-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-63-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-66-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-53-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1744-60-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-65-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-48-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-57-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-58-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1744-59-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/2112-47-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2232-30-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2232-27-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2584-42-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2584-39-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2688-34-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2688-36-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4908-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4908-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads