d70e4742b50d2db0b5c2e90eab0870e1560a7541a465f3a1d4e796ba1e794cc0

General

Target

0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
Size

1018KB
MD5

0558490427bfa0c032a84833e99b4afc
SHA1

b4b61d3a41889b0d56830132b64e3635091f5db6
SHA256

d70e4742b50d2db0b5c2e90eab0870e1560a7541a465f3a1d4e796ba1e794cc0
SHA512

51f72654b790c4ec14a2a4a0b9cb21a79c61447555e3ad81d768956b548511c6560acd2b66519ff6bb16e653a9f053c3a421e7104f626f2296313689a2abfef4
SSDEEP

12288:U0BjVnAqXTX1LVQGPkEurwZu5x8/ks2UgUGl8DEUrgyHLEimZDPhTrAjjAtef:9nRTX1hQfJuu5x8/elO3gseZ1UjjAtef

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmppack.exe

pid process

2192 tmppack.exe
Loads dropped DLL 2 IoCs

Processes:

0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe

pid process

1876 0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
1876 0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2192	tmppack.exe

pid	process
1876	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
1876	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe

pid process

1876 0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
1876 0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe

pid	process
1876	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
1876	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe

description	pid	process	target process
PID 1876 wrote to memory of 2192	1876	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe	tmppack.exe
PID 1876 wrote to memory of 2192	1876	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe	tmppack.exe
PID 1876 wrote to memory of 2192	1876	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe	tmppack.exe
PID 1876 wrote to memory of 2192	1876	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe	tmppack.exe

C:\Users\Admin\AppData\Local\Temp\0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\KTMHUBWXMSUJTTPIODPXDGAM\tmppack.exe
-y
2⤵
- Executes dropped EXE
PID:2192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KTMHUBWXMSUJTTPIODPXDGAM\installer.pak
Filesize
1.3MB

MD5
9161de0c745a2467e8b1efa7fe828986

SHA1
85ae7bf18c3f0cc68a8489363d883594ace964ca

SHA256
fb46408ed5b0aca2c7ad9f33916f09b212c720473ec3222eadd7b66383b4bc21

SHA512
46b211ad8164ff11a4a48c5ad64478c148defe001cf9896354a0b002f9e1936ca251382a1f0ecf78e5a965557ad44716fd73c0456aae57543cb6d180e76ffd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\KTMHUBWXMSUJTTPIODPXDGAM\tmppack.exe
Filesize
561KB

MD5
191daa51ab8e3dbe928711f001dc3adb

SHA1
84d307554c31dd13b5789109505b7394f34c7836

SHA256
a39c78f61f42f22bfb40cfe9f56239bb15d7ea6ca153a5ded61c36997a61fa45

SHA512
1b10db82956d2092bee5b0a3f954b47bbfe669193d04fb586545a8a8167d84dc1a6f8aab8bd0d1695145830c733e0fa3b2505223bd50495a65bae32b04837a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\t253to3a\gui\MainProduct.html
Filesize
3KB

MD5
bbccaf41a1428f1a33357a10bc094edb

SHA1
612281956e1b9d895bbc078c271846f881e4c264

SHA256
50fdf1d3cd943aea15616a56391e6f388ea42be11ea3c269412af5b09ef9fbaf

SHA512
af6a25948746cfcdc0421ac1a96d2efa3fceaf9093c3931d25087d9c12258f06a410e7f7d5260d17d6dbdc00dde74df5b25cfda0260ac531a07b7a200ec41bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\t253to3a\gui\events\cav.xml
Filesize
981B

MD5
8a5e1aad7303d8174cf3ba5e3591624c

SHA1
5bc119db938869e24dc18f9f70a5039cefaa9b19

SHA256
a3dc8aa222cb5edb0d18f4526a0b0859647b48b4bdc52a5c9431c4ec6779f538

SHA512
3c5c491234024226e6486f7426ab941a38701e33a0d1c70012cd64080904c2ee3f4f792ed992e3e605357471bc4da30c661b843b6b2501c4bed4041c4a6bc390

Download Submit
C:\Users\Admin\AppData\Local\Temp\t253to3a\wizard.xml
Filesize
5KB

MD5
bf9c108fed413e71a6ff2ee6fada6969

SHA1
ee260fc6a0340a8c911f6541c951eb906fc1699d

SHA256
6ddfb3c12f505a4c1dc57324c08798ba996e15e6800408a739bc0907776a4e7b

SHA512
5552a40c349bf6202b0862a8245515a485abc7dd5064b84a9976e9072cf97dfdcff318a96a8fcd3fd0cae9da249ead4a4dce35fc995c7e9ec92a19a5b8fc7fb2

Download Submit
memory/1876-12-0x0000000000D10000-0x0000000000E59000-memory.dmp

Filesize
1.3MB

Download
memory/1876-78-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1876-144-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing