0bf1ddf56a66d3347f0b8c768d4369229deb8a1cbf0b7aeab1694d29c715977d

General

Target

088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe
Size

472KB
MD5

088bc418dc9ac21cb8fa82d9f4be63c8
SHA1

d2dcea512b4c6422e6f186db02b12535a79e94e7
SHA256

0bf1ddf56a66d3347f0b8c768d4369229deb8a1cbf0b7aeab1694d29c715977d
SHA512

00a6d09518f98859eb863c3e52b16d67363421d1030ea08a2744576c4d2ea0ea24424875f65acf11f0431221fcb9ad9494b2bde05b02904fed40be915c25ae79
SSDEEP

12288:mU6q8J+5AVXux15EAtorfZiSDL4qMOt7/5zBx9iF/HjYF:EB6UXux1ZtmfZiSDs+tVzBx9ixE

Score

9^/10

collection spyware stealer upx

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2200-15-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2200-25-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2204-26-0x0000000000400000-0x00000000004FA000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/files/0x0034000000015d07-16.dat	WebBrowserPassView
behavioral1/memory/2204-26-0x0000000000400000-0x00000000004FA000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

resource	yara_rule
behavioral1/memory/2200-15-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/files/0x0034000000015d07-16.dat	Nirsoft
behavioral1/memory/2200-25-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2204-26-0x0000000000400000-0x00000000004FA000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
2200	set.exe
2568	set1.exe

Loads dropped DLL 4 IoCs

pid	Process
2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe
2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe
2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe
2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x00000000004FA000-memory.dmp	upx
behavioral1/files/0x000c00000001313a-5.dat	upx
behavioral1/memory/2204-7-0x0000000002090000-0x00000000020AF000-memory.dmp	upx
behavioral1/memory/2200-15-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2200-25-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2204-26-0x0000000000400000-0x00000000004FA000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	set.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2200	2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe	28
PID 2204 wrote to memory of 2200	2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe	28
PID 2204 wrote to memory of 2200	2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe	28
PID 2204 wrote to memory of 2200	2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe	28
PID 2204 wrote to memory of 2568	2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2568	2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2568	2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2568	2204	088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\088bc418dc9ac21cb8fa82d9f4be63c8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\set.exe
  "C:\Users\Admin\AppData\Local\set.exe" /stext temp.txt
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  PID:2200
- C:\Users\Admin\AppData\Local\set1.exe
  "C:\Users\Admin\AppData\Local\set1.exe" /stext temp1.txt
  2⤵
  - Executes dropped EXE
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\set.exe

Filesize
51KB

MD5
e4e05d3819547b2a0c0cb073067f151a

SHA1
0819b32d7539d37656f92235c6ca7c1051f4029c

SHA256
73aec02d21d22dde4bf09cfa5d53c8f5b4abcb3d98e08a33e003e9d5d8d9605d

SHA512
49110d5a3f8985986cb2845bd4eeea928626161a143ecfb39e0c91385d8eb82ecbc6b0d9a07474996b1924acfd2bb89bbc8a540d943da306ac5b54a268208286

Download Submit
\Users\Admin\AppData\Local\set1.exe

Filesize
322KB

MD5
94413713779e6aefe1bfd89bab03ab4a

SHA1
accf7f10824e9c1b74833b9df01c41e1c6418fc1

SHA256
c9fe245826fed144c9b261d86fa3901f290746672c5465de4e50bc1765b105ad

SHA512
f1ce4ad3899e167f1825abf538b4ce50349052a373c5c7155fb602c256e6dc8621b55caa2efe7d607cf2392e356a978f063cb31407d2f6b816d382a8f85f566b

Download Submit
memory/2200-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2200-25-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2204-0-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2204-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2204-7-0x0000000002090000-0x00000000020AF000-memory.dmp

Filesize
124KB

Download
memory/2204-14-0x0000000002090000-0x00000000020AF000-memory.dmp

Filesize
124KB

Download
memory/2204-26-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2204-28-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2204-29-0x0000000002090000-0x00000000020AF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing