masslogger | ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42

General

Target

73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
Size

992KB
MD5

73c81dd67773b2efa5261e20adf74a5b
SHA1

fde0db688d6abb4aad0bb646db9f1c192d980b5a
SHA256

ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42
SHA512

8b2483b0dedf9d6b9329202d40544291b55601518c3b14f5df764e277114ee6538bdf6d08efcb8c3dad99ac7368471354acb1bf1ecd3f7da2c072f8c5a8e24d9
SSDEEP

24576:8I3j32qQLhX/CUoDnbUVo2yhVx/NOMCh/zduiMxVRPXQJA:j6DhaJAMx/NOMChxp8PXg

Score

10^/10

masslogger evasion spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2220-13-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger
behavioral1/memory/2220-19-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger
behavioral1/memory/2220-22-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger
behavioral1/memory/2220-17-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger
behavioral1/memory/2220-14-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1948 powershell.exe

pid	process
1948	powershell.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

description	pid	process	target process
PID 2200 set thread context of 2220	2200	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exepowershell.exe

pid process

2220 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
2220 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
1948 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2220 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
Token: SeDebugPrivilege 1948 powershell.exe

pid	process
2220	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
2220	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
1948	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2220	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
Token: SeDebugPrivilege	1948	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2200 wrote to memory of 2220	2200	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
PID 2200 wrote to memory of 2220	2200	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
PID 2200 wrote to memory of 2220	2200	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
PID 2200 wrote to memory of 2220	2200	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
PID 2200 wrote to memory of 2220	2200	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
PID 2200 wrote to memory of 2220	2200	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
PID 2200 wrote to memory of 2220	2200	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
PID 2200 wrote to memory of 2220	2200	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
PID 2200 wrote to memory of 2220	2200	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
PID 2220 wrote to memory of 2256	2220	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 2256	2220	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 2256	2220	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	cmd.exe
PID 2220 wrote to memory of 2256	2220	73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe	cmd.exe
PID 2256 wrote to memory of 1948	2256	cmd.exe	powershell.exe
PID 2256 wrote to memory of 1948	2256	cmd.exe	powershell.exe
PID 2256 wrote to memory of 1948	2256	cmd.exe	powershell.exe
PID 2256 wrote to memory of 1948	2256	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe'
4⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/2200-1-0x0000000001130000-0x000000000122E000-memory.dmp

Filesize
1016KB

Download
memory/2200-2-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2200-3-0x00000000004A0000-0x00000000004B8000-memory.dmp

Filesize
96KB

Download
memory/2200-4-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/2200-5-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2200-6-0x0000000005790000-0x000000000585A000-memory.dmp

Filesize
808KB

Download
memory/2200-7-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/2200-8-0x0000000004E00000-0x0000000004EBC000-memory.dmp

Filesize
752KB

Download
memory/2200-26-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-11-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-13-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-19-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-22-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-24-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-23-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-17-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2220-14-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-25-0x0000000001060000-0x00000000010D8000-memory.dmp

Filesize
480KB

Download
memory/2220-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2220-27-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads