8b59d747ad9b7d879038ecc72cf17a2f99fcc45e5c4659de51806137a34c78fc

General

Target

0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe
Size

160KB
MD5

0d89bdc120b4af875914af42d627f83f
SHA1

22959ac2f4674b2e7a5fcde1582b9daeaba2f595
SHA256

8b59d747ad9b7d879038ecc72cf17a2f99fcc45e5c4659de51806137a34c78fc
SHA512

960717a9971627150e36f8748a49b186f0123339fb01b07006a92aaba70b5aeec05f2bfbd94096515802e6b5c6736a7e867e151cb1b67a8413592ab368d78fe2
SSDEEP

3072:uW7f59LoQhroGFV3L+AcyXmaNbqBXif3hOLA/YOP1hMMETBsqzToMR:fV9NhroGFtLdNT8if+3OP1CJB3T

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\CF060\\30A21.exe"	0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2984-2-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2984-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2028-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2028-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2984-17-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2772-107-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2772-110-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2772-108-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2984-111-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2984-112-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2984-266-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2028	2984	0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe	28
PID 2984 wrote to memory of 2028	2984	0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe	28
PID 2984 wrote to memory of 2028	2984	0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe	28
PID 2984 wrote to memory of 2028	2984	0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe	28
PID 2984 wrote to memory of 2772	2984	0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2772	2984	0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2772	2984	0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2772	2984	0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe startC:\Program Files (x86)\LP\215C\DB5.exe%C:\Program Files (x86)\LP\215C
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0d89bdc120b4af875914af42d627f83f_JaffaCakes118.exe startC:\Program Files (x86)\60905\lvvm.exe%C:\Program Files (x86)\60905
  2⤵
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CF060\0905.F06

Filesize
996B

MD5
b55ec7ecbf26bfc83dd9fd8d34380053

SHA1
70cfed84bac52cfd9eb1f7c12cf2c0b6ac7ba880

SHA256
e0813f3e50234a508da60f950a1e66aafa539b7ef5b74014f30dba99d79b64ad

SHA512
437130f4268e1072c010dda260208d0afeb39309810088fd118c3c955ef38e1f7aa10ed2a5c256ea8ab5dc93fe3f7942bef12e069d61831d29a45f438f0f8d82

Download Submit
C:\Users\Admin\AppData\Roaming\CF060\0905.F06

Filesize
600B

MD5
0ae72848a2aa3bea8366037f58b15ccf

SHA1
0a7107f06fcb5fe43989a5b654c058b6b8e04bb5

SHA256
1b88a4c74f7f8e8e96cace31db932bb5431b2c34d88cbc4a1b132c52b8e354aa

SHA512
7b6114a1a6f403dbffe1592db6f2b5a39d6732d26f3655c79e8bef7fb9c967d97125ac7a84fb4b7ab9ee3dbed164a6f208fa73d4ea19011ef6f096d6079413d0

Download Submit
C:\Users\Admin\AppData\Roaming\CF060\0905.F06

Filesize
1KB

MD5
4b6c908e413b14147ade4e34126e0ce5

SHA1
e75d3b7ac6e671e8c6637660f426ec5e0b45d245

SHA256
d97fa913eac41ee5683fe53d293692a58c7850081a68660a09d99c8adc6c35b1

SHA512
8276045ece6296bba31d59103b3135b15339a5fa051c4decbfe92f5b5ad639fba575d415f42ddc4485b9b148d6c764d49b406da5754d35a031ef75cf7f765907

Download Submit
memory/2028-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2028-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2772-107-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2772-110-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2772-108-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2984-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2984-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2984-111-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2984-112-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2984-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2984-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2984-266-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads