26d1c17627cace8b1de05fa5c542e5934ee8f79c12235048a5a865174c50b229

General

Target

fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe
Size

32KB
MD5

fb7f311c724b5634fbff8893c90caa7e
SHA1

b699d65d4d6cc19832bd277d8eb824b5c454c9a9
SHA256

26d1c17627cace8b1de05fa5c542e5934ee8f79c12235048a5a865174c50b229
SHA512

6f4bfd1e458e1c8fa48bd7620440aab9e3cbfe2d356c38c123b973b7408485b9afaebe0961c70de607fda456f72a3c79e941270216964b4b43ae292908855e12
SSDEEP

768:JGCFhVReQmX4OzZWXl9oII879e8xtZbKKEw/+3fb:JTHReTXXzsXl9gQDZOVfb

Score

8^/10

evasion spyware stealer upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2672	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2672	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2196-3-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2196-10-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YUmidimap.dll	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\midimap.dll	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sysapp7.dll	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YUksuser.dll	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\YUksuser.dll	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2520	sc.exe
2236	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe
2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe
2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 3000	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	28
PID 2196 wrote to memory of 3000	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	28
PID 2196 wrote to memory of 3000	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	28
PID 2196 wrote to memory of 3000	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2236	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	29
PID 2196 wrote to memory of 2236	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	29
PID 2196 wrote to memory of 2236	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	29
PID 2196 wrote to memory of 2236	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	29
PID 2196 wrote to memory of 2520	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2520	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2520	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2520	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2672	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	34
PID 2196 wrote to memory of 2672	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	34
PID 2196 wrote to memory of 2672	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	34
PID 2196 wrote to memory of 2672	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	34
PID 2196 wrote to memory of 2672	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	34
PID 2196 wrote to memory of 2672	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	34
PID 2196 wrote to memory of 2672	2196	fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe	34
PID 3000 wrote to memory of 2556	3000	net.exe	35
PID 3000 wrote to memory of 2556	3000	net.exe	35
PID 3000 wrote to memory of 2556	3000	net.exe	35
PID 3000 wrote to memory of 2556	3000	net.exe	35

C:\Users\Admin\AppData\Local\Temp\fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb7f311c724b5634fbff8893c90caa7e_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:2556
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2236
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:2520
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1713572468.dat, ServerMain c:\users\admin\appdata\local\temp\fb7f311c724b5634fbff8893c90caa7e_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1713572468.dat

Filesize
32KB

MD5
bd366762fae14dd66b4b7411f2b76332

SHA1
8d8b8976bbbad894e5372d40f091b12b42791ce8

SHA256
b5ca4eba65d4b2fab9007099089d20aca2387b615a2caeefa5ed1b5992ed9d26

SHA512
6a27dfe42ab0401d58fdb84ab6dd747031f518c8f313c98996d3fdc2a88567586d213c890ae88ea1efcddd6b9016da089b48a528d498b69cdad93845ac0e852d

Download Submit
memory/2196-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2196-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2196-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing