b9c2bcb74d67c683f66168aa484eefc55b488aa4015c4e38d1e4a131c0220699

General

Target

05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe
Size

1.0MB
MD5

05b0217261909d44a001d4b283c51df2
SHA1

c4cb95b26376cc67a38b035183bc775724ba4b95
SHA256

b9c2bcb74d67c683f66168aa484eefc55b488aa4015c4e38d1e4a131c0220699
SHA512

5b9670289444aa035b1254030b09a3bccbaaf6e27e24164cdeb1519d34d63aedc79b2f255d82d7f62e76d637914c0ba86e3c8a65958788df8778e6cf1c73603b
SSDEEP

24576:z/C8FE+7CDfGJIpclxPoH/KpcCkVxpI7h8CQ36ZcT:qkCDVGgSpcCgxAu

Score

7^/10

bootkit persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

defender.exe

pid process

2136 defender.exe

Loads dropped DLL 3 IoCs

Processes:

05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe

pid	process
2268	05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe
2268	05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe
2268	05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ProgramData\defender.exe	upx
behavioral1/memory/2268-22-0x0000000002EB0000-0x00000000034E5000-memory.dmp	upx
behavioral1/memory/2136-23-0x0000000000400000-0x0000000000A35000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

defender.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security Protection = "C:\\ProgramData\\defender.exe"	defender.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

defender.exe

description	ioc	process
File opened (read-only)	\??\U:	defender.exe
File opened (read-only)	\??\E:	defender.exe
File opened (read-only)	\??\G:	defender.exe
File opened (read-only)	\??\I:	defender.exe
File opened (read-only)	\??\K:	defender.exe
File opened (read-only)	\??\Q:	defender.exe
File opened (read-only)	\??\T:	defender.exe
File opened (read-only)	\??\P:	defender.exe
File opened (read-only)	\??\X:	defender.exe
File opened (read-only)	\??\Z:	defender.exe
File opened (read-only)	\??\M:	defender.exe
File opened (read-only)	\??\N:	defender.exe
File opened (read-only)	\??\V:	defender.exe
File opened (read-only)	\??\W:	defender.exe
File opened (read-only)	\??\Y:	defender.exe
File opened (read-only)	\??\H:	defender.exe
File opened (read-only)	\??\J:	defender.exe
File opened (read-only)	\??\L:	defender.exe
File opened (read-only)	\??\O:	defender.exe
File opened (read-only)	\??\R:	defender.exe
File opened (read-only)	\??\S:	defender.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

defender.exe

description ioc process

File opened for modification \??\PhysicalDrive0 defender.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	defender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

05b0217261909d44a001d4b283c51df2_JaffaCakes118.exedefender.exe

pid	process
2268	05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

defender.exe

pid	process
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

defender.exe

pid	process
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe
2136	defender.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

defender.exe

pid process

2136 defender.exe
2136 defender.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe

description	pid	process	target process
PID 2268 wrote to memory of 2136	2268	05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe	defender.exe
PID 2268 wrote to memory of 2136	2268	05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe	defender.exe
PID 2268 wrote to memory of 2136	2268	05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe	defender.exe
PID 2268 wrote to memory of 2136	2268	05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe	defender.exe

C:\Users\Admin\AppData\Local\Temp\05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268

C:\ProgramData\defender.exe
C:\ProgramData\defender.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\defender.exe
Filesize
873KB

MD5
611d64dda639ed6e8c2878a3b13103a4

SHA1
30591fdfd4cb96c44392e6068d0f81d0746268b5

SHA256
a059c3cde3ec783b6dbf539c8af33183626606a26b25eb03cdf36a385f08267d

SHA512
e2e2bf4fe0d8ecf2bf7a77d20a743d570724faf550e6df34a4d6522cd91e57cf8526ab62a07eeec2801ff5ed322ec22157e2c566a47390455296732e25916386

Download Submit
memory/2136-34-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-42-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-33-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-50-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-48-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-47-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-35-0x0000000000B90000-0x0000000000C90000-memory.dmp

Filesize
1024KB

Download
memory/2136-23-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-46-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-26-0x0000000000B90000-0x0000000000C90000-memory.dmp

Filesize
1024KB

Download
memory/2136-27-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-29-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-30-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-31-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2136-51-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-49-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-45-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-36-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-37-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-38-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2136-40-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-41-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-44-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2136-43-0x0000000000400000-0x0000000000A35000-memory.dmp

Filesize
6.2MB

Download
memory/2268-3-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2268-22-0x0000000002EB0000-0x00000000034E5000-memory.dmp

Filesize
6.2MB

Download
memory/2268-24-0x0000000002EB0000-0x00000000034E5000-memory.dmp

Filesize
6.2MB

Download
memory/2268-12-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2268-15-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2268-2-0x00000000008A0000-0x00000000009A0000-memory.dmp

Filesize
1024KB

Download
memory/2268-0-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2268-6-0x0000000077360000-0x0000000077361000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads