06d94641bb476c5fa3d78b7059887790bdf2d173081e7a595523ba28e99a58e0

General

Target

6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe
Size

654KB
MD5

6978d4fe770879c22f11d708eb6cfccb
SHA1

d47db598072d3a81403a250b7da4ab4bb245a8bd
SHA256

06d94641bb476c5fa3d78b7059887790bdf2d173081e7a595523ba28e99a58e0
SHA512

faf749fd1a4193b98ce6c9687a470d44bb3491f344ea84472b0e8382061fd03ba3f5af6ff73da0c6f20b6b27a806faa101ede9e1053d66e7cbca73503f82c637
SSDEEP

12288:uR7M/rkoZZ4Umg7BABatP/FxgZxuKmUULT1zYzWuEnyP+A20:uR7WZZ4Umg7BAAwPuKmHAWLyGAl

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

BUWqJ.exe

pid process

1940 BUWqJ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1940	BUWqJ.exe

Drops Chrome extension 5 IoCs

Processes:

BUWqJ.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\126\manifest.json	BUWqJ.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\126\manifest.json	BUWqJ.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\126\manifest.json	BUWqJ.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\126\manifest.json	BUWqJ.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\126\manifest.json	BUWqJ.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe

description	pid	process	target process
PID 3008 wrote to memory of 1940	3008	6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe	BUWqJ.exe
PID 3008 wrote to memory of 1940	3008	6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe	BUWqJ.exe
PID 3008 wrote to memory of 1940	3008	6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe	BUWqJ.exe

C:\Users\Admin\AppData\Local\Temp\6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\2b175e92\BUWqJ.exe
"C:\Users\Admin\AppData\Local\Temp/2b175e92/BUWqJ.exe"
2⤵
- Executes dropped EXE
- Drops Chrome extension
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2b175e92\BUWqJ.dat

Filesize
1KB

MD5
d2e17fb4bb69995f49911e52fe07ef1b

SHA1
7d500f4dfb884206472ab654036a62d6cd786fd8

SHA256
d9a291738c5186dbcd15ddd4d1d218aec804438288db82f4fdf2431dc448521c

SHA512
c29e69959bdb70103d3943528fd6dd8aecc50d1ad8200044005b82adfe9f4befdc98365e2567711132fe3044480cbf40ca8f2cf5b700681e1d35ef7dba92843a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b175e92\BUWqJ.exe

Filesize
451KB

MD5
43aa29bf4812910789cc2805d11f68af

SHA1
22c30000fa6e7a8fbc111fde7e1cb4c3795cd5f9

SHA256
55ef27c7da3b60b65d524dd3ae3327506ffb035f78f6be5b793c71babeab8a04

SHA512
604ef59a990547a1a0aeb2cd10a0ea695ffa1114f912befdf179004737a2cd032cd884c3fbc856834ec9c076fd0c54173ed5361b8b6ed0f33adb6f56f8813f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b175e92\ganlifbpkcplnldliibcbegplfmcfigp\YUvswx.js

Filesize
24KB

MD5
46c299bacb3a5e74513d1461854c66b7

SHA1
c27c592525e2929a68971678c536b6af20aef46a

SHA256
25293eb85c48d1b8d0af027fdd93d066fa8cfbc45dbffe4fabe7e9a191e4ed61

SHA512
cad64bff9cae07aa3bc7851ca252e6613b3c3023af0ff89036f0f14cdb5287e7eeba2271abcbeb9686c67100205779667cc630567aff95a39fd2563cba28e92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b175e92\ganlifbpkcplnldliibcbegplfmcfigp\background.html

Filesize
143B

MD5
0c835c78fd9d888ac1afe8c3bf2d8d98

SHA1
3316f500cadec930d52553294e0e2100e921b39b

SHA256
46a2a135fdcefe54c8d1798e95932a01343a6885859afea0a2256d709b43d2b3

SHA512
de9411a2f600b3ff532ee4bd24c3a02b127b34373541eb2d4973a99402fe37ffaf666c60d7b22598a99a3520a356916ac2d3cad83a976ea11a4212007f4a49df

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b175e92\ganlifbpkcplnldliibcbegplfmcfigp\content.js

Filesize
7KB

MD5
0f9054279524b49954d32ced056eab06

SHA1
0ac7589c48d23a34332678572e3b02b3b3b39f5c

SHA256
48d6e16558d7d331085cb09f3995660640e673f82244e4980193259418ca1e07

SHA512
38684cfd6473c0f3b1a9b4ec78ea49b903d29bb95405fc0882954bccb49cb1f733c3d149e5046977b0f08808108c91680b45ca67d76868a99f4c75b9c05206dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b175e92\ganlifbpkcplnldliibcbegplfmcfigp\lsdb.js

Filesize
7KB

MD5
cff82b88669e188d6a5f77943a51ab87

SHA1
209187eefb9c20871e2e426307ee4cea469dee6d

SHA256
09501481648c593ddba3fa2378ab5c1cadebc4d9af47068a5715ab2934cd2fb9

SHA512
0038096a96bfae386668e5a5c73bfa913c5533ebd4995b7d145ee3413f2efe4c658ffb952272a64c6b11d64619583c36de32471be4559d0c9d37a8804634ef04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b175e92\ganlifbpkcplnldliibcbegplfmcfigp\manifest.json

Filesize
607B

MD5
9402760891e68386a100d13bc4026019

SHA1
e3ef76864ebd8436caa1de78b0d74517d72b42fe

SHA256
dff224b7f5749a00766e3df4943070d25de10162b746629513fcdf899c9a8627

SHA512
9592332c1f6aabf170d337521017520ba9577e4f8401734c988feb8d69f7f144dd9ba04bee91b113564d64e2bed1254ff1fb62ec4152f67d89ae17982d3a007b

Download Submit

Analysis

Sharing