796d20b44f82b2f28d9f1da9055e1ff84c2e8ac85447b9a53c3f6e8937a54897

General

Target

0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe
Size

1.1MB
MD5

0a31f5fc650f2b93a36a1c095714b78a
SHA1

71b3367011357f8f66c50cee1dc3e331e631933d
SHA256

796d20b44f82b2f28d9f1da9055e1ff84c2e8ac85447b9a53c3f6e8937a54897
SHA512

02742e500fe70ddd5bdff9e6a0ab1b50a679590eab168034a07aca92f58dd539f294561ee3f631716a64c2002ff90a78595fd678e0ec9c7fb307e9843d0a4d75
SSDEEP

24576:wQ1bLFCAXperrOUj6k7ZqC30n5HOUZxfHQAPGuIHpc:wQ1bLk7ZxMdRkp

Score

9^/10

collection persistence

Malware Config

Signatures

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2796-50-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2796-52-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2796-53-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2796-56-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2964-73-0x0000000000400000-0x000000000045A000-memory.dmp	WebBrowserPassView
behavioral1/memory/2964-69-0x0000000000400000-0x000000000045A000-memory.dmp	WebBrowserPassView
behavioral1/memory/2964-68-0x0000000000400000-0x000000000045A000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2796-50-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2796-52-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2796-53-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2796-56-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2964-73-0x0000000000400000-0x000000000045A000-memory.dmp	Nirsoft
behavioral1/memory/2964-69-0x0000000000400000-0x000000000045A000-memory.dmp	Nirsoft
behavioral1/memory/2964-68-0x0000000000400000-0x000000000045A000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

LOICIIdVHRBHLgAYeZUAi.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MaCaFCZJcbiCTQSb.lnk	LOICIIdVHRBHLgAYeZUAi.exe

Executes dropped EXE 1 IoCs

Processes:

LOICIIdVHRBHLgAYeZUAi.exe

pid process

1872 LOICIIdVHRBHLgAYeZUAi.exe
Loads dropped DLL 2 IoCs

Processes:

0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exeLOICIIdVHRBHLgAYeZUAi.exe

pid process

3068 0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe
1872 LOICIIdVHRBHLgAYeZUAi.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1872	LOICIIdVHRBHLgAYeZUAi.exe

pid	process
3068	0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe
1872	LOICIIdVHRBHLgAYeZUAi.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 3 IoCs

Processes:

LOICIIdVHRBHLgAYeZUAi.exeRegAsm.exe

description	pid	process	target process
PID 1872 set thread context of 2536	1872	LOICIIdVHRBHLgAYeZUAi.exe	RegAsm.exe
PID 2536 set thread context of 2796	2536	RegAsm.exe	vbc.exe
PID 2536 set thread context of 2964	2536	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc.exe

pid process

2964 vbc.exe
2964 vbc.exe
2964 vbc.exe
2964 vbc.exe
2964 vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2536 RegAsm.exe

pid	process
2964	vbc.exe
2964	vbc.exe
2964	vbc.exe
2964	vbc.exe
2964	vbc.exe

pid	process
2536	RegAsm.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exeLOICIIdVHRBHLgAYeZUAi.exeRegAsm.exe

description	pid	process	target process
PID 3068 wrote to memory of 1872	3068	0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe	LOICIIdVHRBHLgAYeZUAi.exe
PID 3068 wrote to memory of 1872	3068	0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe	LOICIIdVHRBHLgAYeZUAi.exe
PID 3068 wrote to memory of 1872	3068	0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe	LOICIIdVHRBHLgAYeZUAi.exe
PID 3068 wrote to memory of 1872	3068	0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe	LOICIIdVHRBHLgAYeZUAi.exe
PID 1872 wrote to memory of 2536	1872	LOICIIdVHRBHLgAYeZUAi.exe	RegAsm.exe
PID 1872 wrote to memory of 2536	1872	LOICIIdVHRBHLgAYeZUAi.exe	RegAsm.exe
PID 1872 wrote to memory of 2536	1872	LOICIIdVHRBHLgAYeZUAi.exe	RegAsm.exe
PID 1872 wrote to memory of 2536	1872	LOICIIdVHRBHLgAYeZUAi.exe	RegAsm.exe
PID 1872 wrote to memory of 2536	1872	LOICIIdVHRBHLgAYeZUAi.exe	RegAsm.exe
PID 1872 wrote to memory of 2536	1872	LOICIIdVHRBHLgAYeZUAi.exe	RegAsm.exe
PID 1872 wrote to memory of 2536	1872	LOICIIdVHRBHLgAYeZUAi.exe	RegAsm.exe
PID 1872 wrote to memory of 2536	1872	LOICIIdVHRBHLgAYeZUAi.exe	RegAsm.exe
PID 1872 wrote to memory of 2536	1872	LOICIIdVHRBHLgAYeZUAi.exe	RegAsm.exe
PID 2536 wrote to memory of 2796	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2796	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2796	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2796	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2796	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2796	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2796	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2796	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2796	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2796	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2964	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2964	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2964	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2964	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2964	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2964	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2964	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2964	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2964	2536	RegAsm.exe	vbc.exe
PID 2536 wrote to memory of 2964	2536	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LOICIIdVHRBHLgAYeZUAi.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LOICIIdVHRBHLgAYeZUAi.exe XDPQQHAWGNcYLJHXUWA
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- CmdLine Args
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Mail.txt"
4⤵
- Accesses Microsoft Outlook accounts
PID:2796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Web.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MaCaFCZJcbiC
Filesize
474KB

MD5
349c42d8308b6f5ca3cdf0fc43fd6c9c

SHA1
829b046f2e2cb726d2382ccc40ec08b3b9662cd8

SHA256
1ae7cc71c034ae9ee1ad343306305df4adff07ea5aa0e61e0b05d06712971a5e

SHA512
5ee6576127884da6fdfca68bbf8f0ab5bdf9d892bbbcab3b9b61134c8ba33504b7e68a447f29fab3bf75d9371a47859e090dbb9081aefdc4cda794f1ecd7c29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XDPQQHAWGNcYLJHXUWA
Filesize
38KB

MD5
1adc42dacd12c3ed14f5dfab6bd96aae

SHA1
987b4c38d608b0a7f663556a791814e3ae5e6f4d

SHA256
192bcaed67e7817bb3f201afc150ba7b58ad8d1860e2d89c0aca5d9976368fe9

SHA512
0afef56895e79b1c210f2e3678e9b63697040ff9a15089efd1f28784a64d1bed771bc724ee9d828ba0601a2f99f346b2ee3714e00cfcaa87aa488842969bcb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\LOICIIdVHRBHLgAYeZUAi.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/1872-19-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2536-22-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2536-20-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2536-29-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2536-28-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2536-34-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2536-37-0x0000000000C50000-0x0000000000C90000-memory.dmp

Filesize
256KB

Download
memory/2536-75-0x0000000000C50000-0x0000000000C90000-memory.dmp

Filesize
256KB

Download
memory/2536-74-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2536-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2796-42-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2796-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-50-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-73-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2964-63-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2964-61-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2964-71-0x0000000000460000-0x00000000005E1000-memory.dmp

Filesize
1.5MB

Download
memory/2964-65-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2964-69-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2964-68-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2964-60-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2964-57-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads