cb8e12b2397aedf0cfcb13b4ecd67bfd5c90b6255d95e2ec0b09eb13ab4e442d

General

Target

f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe
Size

57KB
MD5

f8bc15e2615d9e8785b01a43238a0d49
SHA1

bdb1ee853c42ce148615260da62e9e9a98d3b032
SHA256

cb8e12b2397aedf0cfcb13b4ecd67bfd5c90b6255d95e2ec0b09eb13ab4e442d
SHA512

005d3337b3fa43296eca49ea026273e2ccb98c5370b5d245573e157d2803c1e69683424c7a28725a1a663857c237811d806b8a621c64e51da13a34c9b98cf6a3
SSDEEP

384:RqDpIP+1N7OYRt5lvpW3ZW9lbQn86NQsImrIX/Gvj/8RXSp3giIaidm0w0gZyuEf:0D9xXxaZ0Qn86IdJRXTiIaqhXsyvR58c

Score

7^/10

collection discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

pinch.exe

pid process

3028 pinch.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3028	pinch.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

pinch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pinch.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1420 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pinch.exe

pid process

3028 pinch.exe
3028 pinch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

pinch.exe

description pid process

Token: SeDebugPrivilege 3028 pinch.exe

pid	process
3028	pinch.exe
3028	pinch.exe

description	pid	process
Token: SeDebugPrivilege	3028	pinch.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1420	EXCEL.EXE
1420	EXCEL.EXE
1420	EXCEL.EXE
1420	EXCEL.EXE
1420	EXCEL.EXE
1420	EXCEL.EXE
1420	EXCEL.EXE
1420	EXCEL.EXE
1420	EXCEL.EXE
1420	EXCEL.EXE
1420	EXCEL.EXE
1420	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe

description	pid	process	target process
PID 4088 wrote to memory of 3028	4088	f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe	pinch.exe
PID 4088 wrote to memory of 3028	4088	f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe	pinch.exe
PID 4088 wrote to memory of 3028	4088	f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe	pinch.exe
PID 4088 wrote to memory of 1420	4088	f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe	EXCEL.EXE
PID 4088 wrote to memory of 1420	4088	f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe	EXCEL.EXE
PID 4088 wrote to memory of 1420	4088	f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe	EXCEL.EXE

outlook_win_path 1 IoCs

Processes:

pinch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pinch.exe

C:\Users\Admin\AppData\Local\Temp\f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4088

C:\Users\Admin\AppData\Local\Temp\pinch.exe
"C:\Users\Admin\AppData\Local\Temp\pinch.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:3028

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Ëèñò Microsoft Excel.xls"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pinch.exe
Filesize
41KB

MD5
7f5ca412e9c0caf59902d688dc704235

SHA1
dc694b2f0c2dd1c5bedea00917b33b766c284557

SHA256
298019397fca6fa9f0a99f6fce4f39fe09bd79cf28707f3cc06919027363109a

SHA512
eb317ee1c7f35362c98b13af9c5e9a917346639402d5cbb1ffd426cde2542c3d12aee0b10afd519edc5f9ac9d32518dbed7e656d02c236460b181a0549115c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ëèñò Microsoft Excel.xls
Filesize
13KB

MD5
94d719398e11c54aec1c3c3ea92a9b1e

SHA1
5152fca344859c791abaa1a09429b6bca3b2ff69

SHA256
a4102aab02b7e7b306f318fb59e335ab5592a15501a36a23952088b856a299c7

SHA512
f5aae4ef64d46d35a53bcab37f1772c7caef2c339d4ecd958e676373c18d19e5aecf3dc2b0d6f3d58d19e686918a09e95ea966324da1c0e9190e4a5170d33faa

Download Submit
memory/1420-27-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-17-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1420-28-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-18-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-19-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1420-15-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1420-14-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1420-20-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-22-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-21-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-23-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-24-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-25-0x00007FF8E86A0000-0x00007FF8E86B0000-memory.dmp

Filesize
64KB

Download
memory/1420-26-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-68-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-16-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1420-29-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-30-0x00007FF8E86A0000-0x00007FF8E86B0000-memory.dmp

Filesize
64KB

Download
memory/1420-31-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-32-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-33-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-35-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-36-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-34-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-49-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1420-65-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1420-64-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1420-66-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1420-67-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/3028-9-0x0000000013140000-0x0000000013178000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads