b6c5f7effcf88f4732d3761f46ac3c1b087f8feb1651ba26a5cd446f7f88dddf

General

Target

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
Size

403KB
MD5

04f9ef26b34ec6b27f96fb86f604d5f5
SHA1

d52f862ac4b61833800c29a4b9c5ab45c158864b
SHA256

b6c5f7effcf88f4732d3761f46ac3c1b087f8feb1651ba26a5cd446f7f88dddf
SHA512

b10b992b3e6336b6a9ce20ac8046ddc63ea8f3ecdf448915171b2233a884125dc3415ca873437c5eec8b0dd247258069f8869030f04fe552590e34690faf618f
SSDEEP

6144:46PVn1IxOksTZAQ7vOQFAq+vdA34F53W3iUKaah:4Grkin79AqydA65BUKaa

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe

description pid process target process

PID 2616 set thread context of 4912 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exeRegAsm.exe

pid process

2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
4912 RegAsm.exe
4912 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
Token: SeDebugPrivilege 4912 RegAsm.exe

flow	ioc
17	checkip.dyndns.org

description	pid	process	target process
PID 2616 set thread context of 4912	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe

pid	process
2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
4912	RegAsm.exe
4912	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
Token: SeDebugPrivilege	4912	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 2616 wrote to memory of 872	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	csc.exe
PID 2616 wrote to memory of 872	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	csc.exe
PID 2616 wrote to memory of 872	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	csc.exe
PID 872 wrote to memory of 3868	872	csc.exe	cvtres.exe
PID 872 wrote to memory of 3868	872	csc.exe	cvtres.exe
PID 872 wrote to memory of 3868	872	csc.exe	cvtres.exe
PID 2616 wrote to memory of 4912	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2616 wrote to memory of 4912	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2616 wrote to memory of 4912	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2616 wrote to memory of 4912	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2616 wrote to memory of 4912	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2616 wrote to memory of 4912	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2616 wrote to memory of 4912	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe
PID 2616 wrote to memory of 4912	2616	04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ftr3icgp\ftr3icgp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3652.tmp" "c:\Users\Admin\AppData\Local\Temp\ftr3icgp\CSCC390DE038C50469E915260ABEE8F974B.TMP"
3⤵
PID:3868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3652.tmp
Filesize
1KB

MD5
a77041d51a1e7f8f68aa247d529dbe12

SHA1
27187c45f32ad343cf7b0d3e6e72172974de1d40

SHA256
c6ca6104177953d010db18ca062e97ca7ea8650c77fb1216d76d4e6811839bf8

SHA512
4ea36e988949049d9a67046b7fde76db7e11ed91c34aae7b043163c58572045c3799bbbc227c8236c3aa42f7cb960e0576b7f8ef4d07da2ae4708ef0e6ab0d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftr3icgp\ftr3icgp.dll
Filesize
8KB

MD5
a27fac3f75ad8ab89d68d26bfc72e9b1

SHA1
90f03572df787164cd0d9bba0409ffda46efbdae

SHA256
0b8ef8818f0e90e9a3eb59fa501dea164d38e35bdeaa17a89939d6d0f9b2ac25

SHA512
00cafbd0d67854e385bdb24a8c2595ae8a79f8c93d534ff7527279c9616cb3ccc6beffa0e5d9babf588d22370b7764829754d716bc908fa0e34dba18d1ed36c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftr3icgp\ftr3icgp.pdb
Filesize
21KB

MD5
18ffeced335d4ac03b1591ccd50e36ff

SHA1
29da6250e6a1670fd7dd1883d4c0714387557654

SHA256
3cf35b3a97e026a9323fca3c7b720298a40e2b6e9baf4dfd8ca3e80a5ce06e89

SHA512
0ad836baa8f7f8392c2db9771953e319f8d9d7126d4ec1eba0d908bb76a467262af6f56513c3084ab002e5f6868f3655cec421050be629644876f8e66aedc13e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftr3icgp\CSCC390DE038C50469E915260ABEE8F974B.TMP
Filesize
1KB

MD5
e8bc383c02f594b0fa57b87c7ed98370

SHA1
6e829b63d39bbceb4be8927861df91a4597e772f

SHA256
a9937ebec420e00f362467c96bb9950636692864972bd3fe86e83bb8ea773f56

SHA512
5d1a5388357e4f9414365ee08cb8f9d3050335242beab726b42465abc1e571161ff2598d45ac4f3799e120adf847021b7311c8f358981964180d9b39ab28385f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftr3icgp\ftr3icgp.0.cs
Filesize
9KB

MD5
cec8f2e3a2c387a64a1a649aa907b99b

SHA1
76ca40cdd600e069e48a041bd2748ba2a5a953c0

SHA256
7d1f5fb153bff32f51816ebe73fe497ac137e57376984b2c14155ad65d21cb4f

SHA512
2ad91ef2149022d8d6ab777a22f2e30b0b36f2cb4e0c58c43ed019399999cf7544f037688550f5fbd331c3bbde8e0f5a09cdffbe6e6a8302afdf936f16c4ddcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftr3icgp\ftr3icgp.cmdline
Filesize
312B

MD5
b82f5596353d57f4602cc84cea590505

SHA1
c597ec2cc0be66c6e4095a2256639e08cb373d57

SHA256
3cc27f804e4e14d40ae3db4b8d055f533f430d0814fcb0a57afea6ec68987c3f

SHA512
825135e06aeca93cdfdbdf0f7521636a0be0356cc193af5c56f6b2782f042979785495593939ef4569645029556cdea2d750ceccea893afad70561abdd777bac

Download Submit
memory/2616-21-0x0000000005110000-0x0000000005150000-memory.dmp

Filesize
256KB

Download
memory/2616-26-0x00000000056B0000-0x000000000574C000-memory.dmp

Filesize
624KB

Download
memory/2616-3-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2616-19-0x0000000005050000-0x0000000005058000-memory.dmp

Filesize
32KB

Download
memory/2616-2-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/2616-1-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/2616-0-0x00000000005D0000-0x000000000063A000-memory.dmp

Filesize
424KB

Download
memory/2616-22-0x00000000050F0000-0x00000000050FC000-memory.dmp

Filesize
48KB

Download
memory/2616-25-0x0000000005160000-0x0000000005196000-memory.dmp

Filesize
216KB

Download
memory/2616-4-0x0000000004F80000-0x0000000004F88000-memory.dmp

Filesize
32KB

Download
memory/2616-29-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/4912-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4912-30-0x0000000071020000-0x00000000715D1000-memory.dmp

Filesize
5.7MB

Download
memory/4912-31-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/4912-32-0x0000000071020000-0x00000000715D1000-memory.dmp

Filesize
5.7MB

Download
memory/4912-33-0x0000000071020000-0x00000000715D1000-memory.dmp

Filesize
5.7MB

Download
memory/4912-34-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/4912-35-0x0000000071020000-0x00000000715D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads