0e75d923716f59b4e5b2bcb249031a4cc7628f0f64ae1b9b73eeb00854a20de1

General

Target

0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe
Size

36KB
MD5

0fd09d15f432d8719377f11bcf667c3e
SHA1

a22378315819b476d611e444252c9b268394e191
SHA256

0e75d923716f59b4e5b2bcb249031a4cc7628f0f64ae1b9b73eeb00854a20de1
SHA512

13b34ee2c9ecd706a94e40c65427170ffaad72b9cea28d9bcd40057bdedd5e519ea29699ba8a1af9d198c57d0242f9c6074210bab9ea431ea4022a368a487d0e
SSDEEP

384:hI2jvAYjQj4MvyKJM5yqohTsE8/wA7q2pyqcpwxuzTa/SWQrGC0+ZN5j:hdjojvyKJdAEp4q2pyRpwgf2HC0mN5

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe C:\\Windows\\system32\\vxdmgr32.exe"	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundllw.exe	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2192	windrive.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load32 = "C:\\Windows\\system32\\load32.exe"	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\load32.exe	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\load32.exe	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vxdmgr32.exe	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\dllreg.exe	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe
File created	C:\Windows\guid32.dll	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe
File created	C:\Windows\windrive.exe	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe
File opened for modification	C:\Windows\vxdload.log	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe
File created	C:\Windows\vxdload.log	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2868	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2868	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe
2868	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe
2868	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe
2868	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2192	2868	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2192	2868	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2192	2868	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2192	2868	0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fd09d15f432d8719377f11bcf667c3e_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\windrive.exe
  C:\Windows\windrive.exe
  2⤵
  - Executes dropped EXE
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\windrive.exe

Filesize
8KB

MD5
4b8cba337bc109d8b6eea0127207bfae

SHA1
0fe1c080f60e30e71d709f23310dbce178067b76

SHA256
26ad0dd002e7eccaae6553e8abc1ca8c92cb75ec2cd4aaae7382741cc81e24cb

SHA512
db4cfb81b562a2435bedd69b7d0bacc81c7579bcb77d5ebe3fa298ea71ed687df13888a4b90b73392bfd0f7255dcf750cb3ec176b51f374342a89e52ca4cef29

Download Submit
memory/2192-14-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2868-13-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/2868-12-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/2868-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2868-18-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2868-21-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/2868-22-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads