0e5cb83def6333b13ab36fcf301145537f565800e768aaa5c40c2378b27ec5da

General

Target

043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
Size

437KB
MD5

043eaede991f0babf38e2e17937e4e99
SHA1

3308775eebfae7d12cce6f7154c5add1217c13d4
SHA256

0e5cb83def6333b13ab36fcf301145537f565800e768aaa5c40c2378b27ec5da
SHA512

2be4062e9519978bf82d2b36934b6d6e9e2971741827acae56c2dbb708220f0f685423fc0c3f150fd4eda8128348f0640ce6a58f9140713168947e177b8c1685
SSDEEP

6144:O2qVEWmw4UhfrXi2jyLhxT5Ahv4go96AO2wZTOfmu4pilruhQfEQLOp8/Oe113ea:dqVHmw4Uh2ayHx9mTOfColruOf5jOe1H

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

043eaede991f0babf38e2e17937e4e99_JaffaCakes118.execom3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	com3.exe

Drops startup file 1 IoCs

Processes:

SearchHelper.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe SearchHelper.exe
Executes dropped EXE 4 IoCs

Processes:

SearchHelper.execom3.exeSearchHelper.execom3.exe

pid process

4468 SearchHelper.exe
3972 com3.exe
3392 SearchHelper.exe
3952 com3.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

pid	process
4468	SearchHelper.exe
3972	com3.exe
3392	SearchHelper.exe
3952	com3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.execom3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe"	com3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4440 reg.exe

pid	process
4440	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exeSearchHelper.execom3.exe043eaede991f0babf38e2e17937e4e99_JaffaCakes118.execom3.exeSearchHelper.exe

pid	process
4640	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
4640	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
4468	SearchHelper.exe
4468	SearchHelper.exe
3972	com3.exe
3972	com3.exe
4504	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
4504	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
3952	com3.exe
3952	com3.exe
3392	SearchHelper.exe
3392	SearchHelper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SearchHelper.exe

description pid process

Token: SeDebugPrivilege 4468 SearchHelper.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchHelper.exe

pid process

4468 SearchHelper.exe

description	pid	process
Token: SeDebugPrivilege	4468	SearchHelper.exe

pid	process
4468	SearchHelper.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe043eaede991f0babf38e2e17937e4e99_JaffaCakes118.execom3.exe

description	pid	process	target process
PID 4640 wrote to memory of 4468	4640	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	SearchHelper.exe
PID 4640 wrote to memory of 4468	4640	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	SearchHelper.exe
PID 4640 wrote to memory of 4468	4640	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	SearchHelper.exe
PID 4640 wrote to memory of 3972	4640	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	com3.exe
PID 4640 wrote to memory of 3972	4640	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	com3.exe
PID 4640 wrote to memory of 3972	4640	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	com3.exe
PID 4640 wrote to memory of 4504	4640	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
PID 4640 wrote to memory of 4504	4640	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
PID 4640 wrote to memory of 4504	4640	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
PID 4504 wrote to memory of 3392	4504	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	SearchHelper.exe
PID 4504 wrote to memory of 3392	4504	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	SearchHelper.exe
PID 4504 wrote to memory of 3392	4504	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	SearchHelper.exe
PID 4504 wrote to memory of 3952	4504	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	com3.exe
PID 4504 wrote to memory of 3952	4504	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	com3.exe
PID 4504 wrote to memory of 3952	4504	043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe	com3.exe
PID 3972 wrote to memory of 4440	3972	com3.exe	reg.exe
PID 3972 wrote to memory of 4440	3972	com3.exe	reg.exe
PID 3972 wrote to memory of 4440	3972	com3.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4440

C:\Users\Admin\AppData\Local\Temp\043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe" silent pause
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504

C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
Filesize
440KB

MD5
9dedf0ec45da5b76026b0a8aa9e7f7bd

SHA1
25742fa3d06b057b2c1ca25adb139c6e9b067d37

SHA256
38a8a29b971a732130123de99c0333347522e673d2b39a5d37c8f424046545e8

SHA512
68fd8a18418ec9ba6186e598a20ea9316f30ff151d959c6e8720810609bc3c8a8f74c1a1f146b54261cdc33a6556860f3874789fa1f09113de42572bc41cd32e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
Filesize
440KB

MD5
2d181055c7420b001cfe8fe597f1ee2b

SHA1
11d2752e9e38561470e7b5d33f567f589ca81bdb

SHA256
52ad4e90bbf94f034141ff1ad6574866f6c55f66b0a6e69735f0a8aae45fad43

SHA512
482aae8475159ffbea638f731a3b1f32647afa60166e15b7163d573d079c55bf7af719ae71ccc373d5294afe120604e0d50c19ea5eee0e13a71b15f169ddab5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat
Filesize
10B

MD5
bc62f40c0a6a4929df7e775e738a416e

SHA1
0643661f9e0858f4d77e2b831fab91573a081930

SHA256
ef766d89e40b511b7bbea6fe8997fd635daf8ee90d64b3918a186b2a9b087fc4

SHA512
376389145c35b22d0f46a3e6b79bf9a9fb5c30f6492e790b03f1006da12fee025bcce9f444d650f9671e0085e3a0e4c04cefa3a8938d81511231be66d9c76642

Download Submit
memory/3392-66-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/3392-77-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3952-56-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/3952-76-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4468-16-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4468-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4504-45-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4640-0-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4640-43-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads