939a78eb46838db8dedfb5a5fae5619cb7462093c12e9cb21e7f571d5e21dec0

General

Target

f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe
Size

47KB
MD5

f87f80ac20692d98173fa85cff1d53d4
SHA1

d9b54a5cd4459f8624fd9ec3bd868ef0e7028741
SHA256

939a78eb46838db8dedfb5a5fae5619cb7462093c12e9cb21e7f571d5e21dec0
SHA512

143942407b35cbe63fef9c5392d98626747363e5c716cf6cfe04bcf9fb782c7d4de3ede985da5fa9b3b46f360739edf7a8b6f07b5098476de31a9cf464b53113
SSDEEP

768:aCbz5H3N6XTeWgGfBy2XrrLg9liGqv4lyPhSfXwfiAhIBbFVMn11xYvsft9L/x43:aizJN6XTtg+ByJjTNyPhSPwfi8mVMn1K

Score

8^/10

bootkit collection discovery persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

p.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\system = "C:\\Windows\\csrss.exe"	p.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exep.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	p.exe

Executes dropped EXE 3 IoCs

Processes:

p.exeloader.execsrss.exe

pid process

636 p.exe
976 loader.exe
2172 csrss.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
636	p.exe
976	loader.exe
2172	csrss.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

csrss.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

IEXPLORE.EXE

description ioc process

File opened for modification \??\PhysicalDrive0 IEXPLORE.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

loader.exe

description pid process target process

PID 976 set thread context of 3236 976 loader.exe IEXPLORE.EXE
Drops file in Windows directory 2 IoCs

Processes:

p.exe

description ioc process

File created C:\Windows\csrss.exe p.exe
File opened for modification C:\Windows\csrss.exe p.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3412 3756 WerFault.exe f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

IEXPLORE.EXEcsrss.exe

pid process

3236 IEXPLORE.EXE
2172 csrss.exe
2172 csrss.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

p.exeloader.execsrss.exe

description pid process

Token: SeDebugPrivilege 636 p.exe
Token: SeIncBasePriorityPrivilege 976 loader.exe
Token: SeDebugPrivilege 2172 csrss.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	IEXPLORE.EXE

description	pid	process	target process
PID 976 set thread context of 3236	976	loader.exe	IEXPLORE.EXE

description	ioc	process
File created	C:\Windows\csrss.exe	p.exe
File opened for modification	C:\Windows\csrss.exe	p.exe

pid	pid_target	process	target process
3412	3756	WerFault.exe	f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe

pid	process
3236	IEXPLORE.EXE
2172	csrss.exe
2172	csrss.exe

description	pid	process
Token: SeDebugPrivilege	636	p.exe
Token: SeIncBasePriorityPrivilege	976	loader.exe
Token: SeDebugPrivilege	2172	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exeloader.exep.exe

description	pid	process	target process
PID 3756 wrote to memory of 636	3756	f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe	p.exe
PID 3756 wrote to memory of 636	3756	f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe	p.exe
PID 3756 wrote to memory of 636	3756	f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe	p.exe
PID 3756 wrote to memory of 976	3756	f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe	loader.exe
PID 3756 wrote to memory of 976	3756	f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe	loader.exe
PID 3756 wrote to memory of 976	3756	f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe	loader.exe
PID 976 wrote to memory of 3236	976	loader.exe	IEXPLORE.EXE
PID 976 wrote to memory of 3236	976	loader.exe	IEXPLORE.EXE
PID 976 wrote to memory of 3236	976	loader.exe	IEXPLORE.EXE
PID 976 wrote to memory of 3236	976	loader.exe	IEXPLORE.EXE
PID 976 wrote to memory of 3236	976	loader.exe	IEXPLORE.EXE
PID 976 wrote to memory of 3236	976	loader.exe	IEXPLORE.EXE
PID 976 wrote to memory of 3236	976	loader.exe	IEXPLORE.EXE
PID 636 wrote to memory of 2172	636	p.exe	csrss.exe
PID 636 wrote to memory of 2172	636	p.exe	csrss.exe
PID 636 wrote to memory of 2172	636	p.exe	csrss.exe

outlook_win_path 1 IoCs

Processes:

csrss.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	csrss.exe

C:\Users\Admin\AppData\Local\Temp\f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 312
2⤵
- Program crash
PID:3412

C:\Users\Admin\AppData\Local\Temp\p.exe
"C:\Users\Admin\AppData\Local\Temp\p.exe"
2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\csrss.exe
"C:\Windows\csrss.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:2172

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3756 -ip 3756
1⤵
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\loader.exe
Filesize
20KB

MD5
0c51a7748182b38afac4ab62fe5ec976

SHA1
4258245c92f0edfd7fd8273ec22d5cc9356a77d6

SHA256
386a4f3d9b849ed1fa2cbba640b428ba06ac65f7bc3c93ae9f0a6878113bd813

SHA512
188422f1366ea32b6dc30a3e63a46fffd5349a9786e50b6fddc299621d38b13b7582a703668b6591b3ef0caeef5e6525adb5728c27002a727d3667ef8fe54136

Download Submit
C:\Users\Admin\AppData\Local\Temp\p.exe
Filesize
28KB

MD5
36c64a8b824970bbd991986f81fa8718

SHA1
ae05cb686c3a1d79ff2e7a231b0e89befe527559

SHA256
5ebf226334f2035d115db37664e25b075cbe00badf8090dac2a49b0714bde733

SHA512
d1ca9364bc7e1cc4ef466da44f8213fb0f541635c5c4d3d0afb82fe4bea17d4ffff5efe5a198d8b818c632b35fd8e56beba14ddc24b89d8a9ff6a4ee214abc78

Download Submit
memory/636-17-0x0000000013140000-0x0000000013188000-memory.dmp

Filesize
288KB

Download
memory/636-29-0x0000000013140000-0x0000000013188000-memory.dmp

Filesize
288KB

Download
memory/976-16-0x0000000014140000-0x0000000014149000-memory.dmp

Filesize
36KB

Download
memory/976-18-0x0000000014140000-0x0000000014149000-memory.dmp

Filesize
36KB

Download
memory/2172-30-0x0000000013140000-0x0000000013188000-memory.dmp

Filesize
288KB

Download
memory/2172-31-0x0000000013140000-0x0000000013188000-memory.dmp

Filesize
288KB

Download
memory/3236-19-0x0000000013140000-0x00000000131E8000-memory.dmp

Filesize
672KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads