17432d218dd35ec276a34ab7f633cd4b57051102b598cda43a81279eea8d4ba9

General

Target

06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe
Size

169KB
MD5

06f588f54dea668717613c4f90ad961e
SHA1

61ec0f1d630521855b345ce91433efbf33a95116
SHA256

17432d218dd35ec276a34ab7f633cd4b57051102b598cda43a81279eea8d4ba9
SHA512

2b350f85e861b115383950ea20302b2bd76eb5f25939eb951e42d2a8701ca610ffd5175448c15cb69d3e3bb4c01d516cc03e8d6014f45f02415ff24d381ec3ab
SSDEEP

3072:YGCXtAAR6rwMuw4SJkTuxCHDQbQk2S3eFDaQDdpAQ9vPN8Vd7Cap3kbu7gQZO:zCXDmwMAqCjQck5enuCvPN8VNZxkbtx

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-1-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2280-6-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2280-7-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2280-9-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2012-20-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2808-86-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2808-85-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2808-88-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2012-89-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2012-198-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2280	2012	06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe	28
PID 2012 wrote to memory of 2280	2012	06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe	28
PID 2012 wrote to memory of 2280	2012	06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe	28
PID 2012 wrote to memory of 2280	2012	06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe	28
PID 2012 wrote to memory of 2808	2012	06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2808	2012	06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2808	2012	06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2808	2012	06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9BE2.6D9

Filesize
597B

MD5
c03f36ac3e3a99fb1f4e1cb940317deb

SHA1
88dd1d46c8e6cd2f49af1c62ba22b76ced77931a

SHA256
a706a91c42b4ed27fd8eaad1f3e4f9dbcc0dd09a06bc4d4e30ab7b5cc3383414

SHA512
5a500689afd4ada7b3ed6b55865442658297a8ecac4f3d4708039ba46fa08863f708c193e97107b62b0cd1d1d240072be645772832b6942b0941b45b8c3072a5

Download Submit
C:\Users\Admin\AppData\Roaming\9BE2.6D9

Filesize
1KB

MD5
a5d8c662e399972f2146a86f812817b4

SHA1
4b8e8ecea64d755c99f0127792ffdc5968b0adea

SHA256
7d997340795f3dc82adef53d917d3105170eccf94bd4ff4cb7b08858541fb186

SHA512
f3f007199282672f679e0cf2ffbdedcd187b5fb5bb2ad7c223b8547b952bc92e7cc116ba9cb5b02437f9dca95c8ad1fb96c17441e7b0f010ba2f111057055e3d

Download Submit
C:\Users\Admin\AppData\Roaming\9BE2.6D9

Filesize
897B

MD5
69fcb6e3fdb181ab60d4d3084615fcbf

SHA1
19ca11e390752e8a7d34cc1ee93730790cb3a3b5

SHA256
59bb912a4cb4ac6f7e84105d7ff54257dc9f1fdf2e5421fb2ae206a0e859c9ae

SHA512
60ac41b81f919489cf6f720e22f937876f16a0a62165149adfedfe2583cc27e95b828b129e64ec8c59f517c1fac67c57f6937dd8029b49e39aabd47ffdd0d088

Download Submit
memory/2012-89-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2012-198-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2012-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2012-20-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2280-9-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2280-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2280-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2808-85-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2808-88-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2808-86-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads