96c0d4914e76b1fa9375ae0aae11d1fc7e0929c7dccadc9fc2a13a32c3ff3ec1

General

Target

0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe
Size

177KB
MD5

0d84b7c7410b3d41b0c7079cd8907c38
SHA1

41405d26248bfe86df3927af45d04c71a2d793e3
SHA256

96c0d4914e76b1fa9375ae0aae11d1fc7e0929c7dccadc9fc2a13a32c3ff3ec1
SHA512

279a1d0a6f625c1dc89eff895ec264d1e6b45eb3cb1f3f00a701583c04ac8864108c14b8db8dae58a80c6d740bc8d934f25f8fd35dac1b588c2a6e56dde4bd52
SSDEEP

3072:gxxm9nvR85IsOCHwYJrkvBqd6czLyettLtgYmxChFmrjfXTUvH:8m9nONQYJkvkd7zLyGQobgjfX

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2228-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1976-12-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2228-75-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3048-82-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1976-83-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2228-85-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2228-158-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1976	2228	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	28
PID 2228 wrote to memory of 1976	2228	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	28
PID 2228 wrote to memory of 1976	2228	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	28
PID 2228 wrote to memory of 1976	2228	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	28
PID 2228 wrote to memory of 3048	2228	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	30
PID 2228 wrote to memory of 3048	2228	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	30
PID 2228 wrote to memory of 3048	2228	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	30
PID 2228 wrote to memory of 3048	2228	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1976
- C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4AAD.C56

Filesize
600B

MD5
7dbe7ef9167bb29dfd61a344014c0b42

SHA1
48a5148e23c419ab9d6d2830e4a2a0be9152d9a1

SHA256
215d684b3ce229f17bcc32432af75f75922952c2925c0cc27643d6f82ffb4e8c

SHA512
be1e0a606fc6942b157680682547b76305f04bdea7daaafdb459bf93b9cfe6cfd07b80d8cbb100a9b6c943a9ad240c32baa5ade544d01663f10cc357b70b71a6

Download Submit
C:\Users\Admin\AppData\Roaming\4AAD.C56

Filesize
1KB

MD5
06aedf873fb9fcdc61516ae5097a198d

SHA1
ad6c94b6fbb6fbe86576b1cde5e4ad00d7148cdc

SHA256
1513bdd9f0204565d71690bc43036bbee698c1182ace38b0ef4e1680b44bcfed

SHA512
19c48ccf97c3c5e14a215067acb51e1f623a0bf0e45f275b7edf09b4e5bfeaf11141d627c70d5cdbe78c516f823f6d37768d379ccfd81a66734430bc7bfa6ee4

Download Submit
C:\Users\Admin\AppData\Roaming\4AAD.C56

Filesize
996B

MD5
d2e32ee5411c3966baa75b63aff80374

SHA1
be0093fd72d8d0334fdd414a274bb663648278b7

SHA256
89f740adc5729a0510d6b574099691520806473f8ca4a58269e5bf845e846570

SHA512
2a27ce331491dbd651278a4191d3b2160ebe07b16e1f52027875f25153eec1e222d96e53d29e6a30ea06d666a7dc3f78166d4447b2d7e1b20388eafaa666f209

Download Submit
memory/1976-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-83-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2228-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2228-75-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2228-85-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2228-158-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3048-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3048-84-0x0000000000637000-0x0000000000653000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads