7b78ae1493693935b410ba9d252d2358bc8a4f11c2cc29bb6429454ef4c7b572

General

Target

0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe
Size

391KB
MD5

0049f3e822314897cb98ce47825fa645
SHA1

0e286a6b8f59f1b555facb2604afad39a1433f92
SHA256

7b78ae1493693935b410ba9d252d2358bc8a4f11c2cc29bb6429454ef4c7b572
SHA512

f4f824a77bf317bc2e2927aa590fdbd07b17706ba01ab17b778699b0813439049edbc39a28498c890889bd1d97ee1a1fedc0924a07b9861845ea2680bbbb34ed
SSDEEP

6144:FhOZbxZ+Be8wGKmFTGT6cF6R5m9rBLICY0klFblVVlIG:FyxZ+B5wGKmFTBC6RolZRkBVVln

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 2060	2288	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2060	2288	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	28
PID 2288 wrote to memory of 2060	2288	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	28
PID 2288 wrote to memory of 2060	2288	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	28
PID 2288 wrote to memory of 2060	2288	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	28
PID 2288 wrote to memory of 2060	2288	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	28
PID 2288 wrote to memory of 2060	2288	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	28
PID 2060 wrote to memory of 1648	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	29
PID 2060 wrote to memory of 1648	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	29
PID 2060 wrote to memory of 1648	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	29
PID 2060 wrote to memory of 1648	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	29
PID 2060 wrote to memory of 2516	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	31
PID 2060 wrote to memory of 2516	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	31
PID 2060 wrote to memory of 2516	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	31
PID 2060 wrote to memory of 2516	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	31
PID 2060 wrote to memory of 2584	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	32
PID 2060 wrote to memory of 2584	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	32
PID 2060 wrote to memory of 2584	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	32
PID 2060 wrote to memory of 2584	2060	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c %systemdrive% && cd %appdata% && cd Mozilla\Firefox\Profiles && dir /B /O:-D > c:\dateiname.txt
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c md c:\ende
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c %systemdrive% && cd %appdata% && cd Mozilla\Firefox\Profiles && cd 9bot8sq2.default-release&& copy key3.db c:\ende && copy signons.txt c:\ende && copy history.dat c:\ende
    3⤵
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\dateiname.txt

Filesize
42B

MD5
2a10e2abc9c0c0f985dc1523765946db

SHA1
c51fd28de2870be8263360d188d6fbb3b41b9ebf

SHA256
5d48213800eac8b7f3e4b1af18779f83565a186bcc2919654a5a26d1dfdf968f

SHA512
7a4c691b0003ee0933f06c06b717baa2265489681658da57d73a5cb52780b81646e7fa1bfd0889ee663468a1a4b54e01cee5fce1124a9400dbb36c1ee19da17d

Download Submit
memory/2060-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2060-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2060-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2060-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2060-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2288-0-0x0000000063400000-0x000000006345F000-memory.dmp

Filesize
380KB

Download
memory/2288-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2288-2-0x00000000002E0000-0x000000000033F000-memory.dmp

Filesize
380KB

Download
memory/2288-9-0x0000000063400000-0x000000006345F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing