b6c5f7effcf88f4732d3761f46ac3c1b087f8feb1651ba26a5cd446f7f88dddf

General

Target

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
Size

403KB
MD5

04f9ef26b34ec6b27f96fb86f604d5f5
SHA1

d52f862ac4b61833800c29a4b9c5ab45c158864b
SHA256

b6c5f7effcf88f4732d3761f46ac3c1b087f8feb1651ba26a5cd446f7f88dddf
SHA512

b10b992b3e6336b6a9ce20ac8046ddc63ea8f3ecdf448915171b2233a884125dc3415ca873437c5eec8b0dd247258069f8869030f04fe552590e34690faf618f
SSDEEP

6144:46PVn1IxOksTZAQ7vOQFAq+vdA34F53W3iUKaah:4Grkin79AqydA65BUKaa

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe

description pid process target process

PID 2288 set thread context of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exeRegAsm.exe

pid process

2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
2672 RegAsm.exe
2672 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
Token: SeDebugPrivilege 2672 RegAsm.exe

flow	ioc
2	checkip.dyndns.org

description	pid	process	target process
PID 2288 set thread context of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe

pid	process
2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
2672	RegAsm.exe
2672	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
Token: SeDebugPrivilege	2672	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 2288 wrote to memory of 2828	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	csc.exe
PID 2288 wrote to memory of 2828	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	csc.exe
PID 2288 wrote to memory of 2828	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	csc.exe
PID 2288 wrote to memory of 2828	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	csc.exe
PID 2828 wrote to memory of 2476	2828	csc.exe	cvtres.exe
PID 2828 wrote to memory of 2476	2828	csc.exe	cvtres.exe
PID 2828 wrote to memory of 2476	2828	csc.exe	cvtres.exe
PID 2828 wrote to memory of 2476	2828	csc.exe	cvtres.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2288 wrote to memory of 2672	2288	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES619.tmp" "c:\Users\Admin\AppData\Local\Temp\ml5omzl4\CSCFAFA71BD88F24CB6B47AFD25852D47A7.TMP"
3⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES619.tmp
Filesize
1KB

MD5
564d3175c90fd3e8bccc288e4652b8fb

SHA1
bac52c16374b7a47df9addf3bc729915207d6d82

SHA256
1fe3d0fd5cc7f2bf6167b1a835840e204de0723750b6a61f34013db8f2c81715

SHA512
b70805353305cc476432d5470c00052369efe8398c7c14725a55ae6e2b56f39a8be2a844e043c019df7c0e0d8c99bacd7ffbb371fe0fb96e6eb807b81f93eadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.dll
Filesize
8KB

MD5
66b7cb0564c58d4ac66aac8c2a9e7477

SHA1
603d3e7d96fefce58a32477bde1db36bd10d4f53

SHA256
d1d7e19f06ae54b1675fb2004c00df84bbbdcdeec7356da3bb7a96082894c49d

SHA512
f7629218cd6c3c6b9874b79bc1a3d85d33c4e9592cecd77190daf3f2b1c4842193409eec7262f8e5f02f8d7379a22ef12807dbadce2304fc0a192e56998d8b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.pdb
Filesize
21KB

MD5
28a150d41d0d5cc7761cac40e55a7a33

SHA1
50c054c0d21d3337affb987e9afb49b0a248e48c

SHA256
74ee2cd42714859a23a56e1420279a39b1479d534d0a1bda97ab409ce3f2b30d

SHA512
7d4d2724b1d73a355a3020d283fa8049e78b41c45e12efcebe11aebfb7c9e1be5372884aea07c5c95c83066265040a9bd825c1fe8e6ead19f03cab6d8d5ad48c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ml5omzl4\CSCFAFA71BD88F24CB6B47AFD25852D47A7.TMP
Filesize
1KB

MD5
d0e3df5cdf9b9b515cb96b2c2374ee2a

SHA1
c412db9c9877ef2da3025d773badb5edd47949af

SHA256
3be86dd8d205cf5b7e7b9f41f120d820f01147a091515f703f07133f67ad3ded

SHA512
3ae8279c865a28aeb231cf8686e75bfc7e5b7c3f7da55da2a5b0a33c13822d81918590f6d0f73b3ebc3c8c04d79ffe5fe296b17809f7e65ad2ed2bfc6e888ed0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.0.cs
Filesize
9KB

MD5
cec8f2e3a2c387a64a1a649aa907b99b

SHA1
76ca40cdd600e069e48a041bd2748ba2a5a953c0

SHA256
7d1f5fb153bff32f51816ebe73fe497ac137e57376984b2c14155ad65d21cb4f

SHA512
2ad91ef2149022d8d6ab777a22f2e30b0b36f2cb4e0c58c43ed019399999cf7544f037688550f5fbd331c3bbde8e0f5a09cdffbe6e6a8302afdf936f16c4ddcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.cmdline
Filesize
312B

MD5
569f2673e84a153bbf67001078c73e67

SHA1
cfd0e5320264a1403bdc35faf4e23a3d07af7ff6

SHA256
3854b1195c61f32f466fbc1b4282092cd3fd0aec083d71f3cee3c9af34325f5d

SHA512
1ec81e9f5596143e51085624a76cb6babcb5a744e29e9f856229b31254699ba6883e8d16d44d2a739d7552f4cfd21510e58d0d45633a79bafa5cd2ec15aec334

Download Submit
memory/2288-24-0x0000000000DF0000-0x0000000000E26000-memory.dmp

Filesize
216KB

Download
memory/2288-1-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-38-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-2-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/2288-0-0x0000000001040000-0x00000000010AA000-memory.dmp

Filesize
424KB

Download
memory/2288-20-0x0000000000C90000-0x0000000000CD0000-memory.dmp

Filesize
256KB

Download
memory/2288-21-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2288-3-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2288-18-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2672-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2672-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2672-29-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2672-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2672-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2672-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2672-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2672-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads