85f7a009f0f9e0d9bf057edc24bf584eb08349cec1818588d3a61106dbd2ab99

General

Target

06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
Size

2.6MB
MD5

06332c76bab3c4b5b15158f41f92b3b8
SHA1

8d837c4126ee98e94c5664d4f17bfe69389da8a5
SHA256

85f7a009f0f9e0d9bf057edc24bf584eb08349cec1818588d3a61106dbd2ab99
SHA512

846451df9130c85168e4e0d057a92b74bd025e77536734ce828d1a3ee6d68b3f488ea2c318eccb32a917d47b5157d155e229ea8a238bf495017a59f545614a0f
SSDEEP

49152:Pmxak0hQbAzDlk5G/xYmBvclEJZPIZwjnHTow5OiW8CtQw8j+DdT9jOotbgJSr3n:+k5GbA9hv8EJdboH3mml6iqN

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

ba21e.exeba21e.exe

pid process

4544 ba21e.exe
3848 ba21e.exe
Loads dropped DLL 3 IoCs

Processes:

06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exeba21e.exeba21e.exe

pid process

2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
4544 ba21e.exe
3848 ba21e.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4544	ba21e.exe
3848	ba21e.exe

Drops file in System32 directory 4 IoCs

Processes:

ba21e.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ba21e.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ba21e.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ba21e.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ba21e.exe

Drops file in Program Files directory 4 IoCs

Processes:

ba21e.exe06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\SmartData\cd.dll	ba21e.exe
File created	C:\Program Files (x86)\SmartData\performer.exe	ba21e.exe
File opened for modification	C:\Program Files (x86)\SmartData\performer.exe	ba21e.exe
File created	C:\Program Files (x86)\SmartData\ba21e.exe	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Bios	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

ba21e.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ba21e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ba21e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ba21e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ba21e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ba21e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ba21e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ba21e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ba21e.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exeba21e.exe

pid	process
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
3848	ba21e.exe
3848	ba21e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ba21e.exe

description pid process

Token: SeTcbPrivilege 3848 ba21e.exe

description	pid	process
Token: SeTcbPrivilege	3848	ba21e.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2400 wrote to memory of 712	2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe	cmd.exe
PID 2400 wrote to memory of 712	2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe	cmd.exe
PID 2400 wrote to memory of 712	2400	06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe	cmd.exe
PID 712 wrote to memory of 4252	712	cmd.exe	choice.exe
PID 712 wrote to memory of 4252	712	cmd.exe	choice.exe
PID 712 wrote to memory of 4252	712	cmd.exe	choice.exe
PID 712 wrote to memory of 4544	712	cmd.exe	ba21e.exe
PID 712 wrote to memory of 4544	712	cmd.exe	ba21e.exe
PID 712 wrote to memory of 4544	712	cmd.exe	ba21e.exe

C:\Users\Admin\AppData\Local\Temp\06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /S /C choice /C Y /N /D Y /T 3 & "C:\Program Files (x86)\SmartData\ba21e.exe" /start
2⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4252

C:\Program Files (x86)\SmartData\ba21e.exe
"C:\Program Files (x86)\SmartData\ba21e.exe" /start
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4544

C:\Program Files (x86)\SmartData\ba21e.exe
"C:\Program Files (x86)\SmartData\ba21e.exe" /srv
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SmartData\ba21e.exe
Filesize
2.6MB

MD5
06332c76bab3c4b5b15158f41f92b3b8

SHA1
8d837c4126ee98e94c5664d4f17bfe69389da8a5

SHA256
85f7a009f0f9e0d9bf057edc24bf584eb08349cec1818588d3a61106dbd2ab99

SHA512
846451df9130c85168e4e0d057a92b74bd025e77536734ce828d1a3ee6d68b3f488ea2c318eccb32a917d47b5157d155e229ea8a238bf495017a59f545614a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd.dll
Filesize
692KB

MD5
8b9e960ba4971deedbc8f141ea20e58c

SHA1
194307d3493b723dde50ee65a069bf702353b3dd

SHA256
fb637cf304db7a39a7474cf222789fc9560a69334ec1871accfb476790975e4e

SHA512
9b2fafffb40db5fdef41fe77c3b9424ae8d54c2258a526b7abd013d4058388a41397ceb7d5621e60991771908385b6b9228a31a7369c60a17e48e234685e4ada

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads