6161fdcd2661f9efc02f4a59e8f3ef25853d6a10b618e9acca6d0a5cb9a3e70d

General

Target

0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe
Size

172KB
MD5

0f31c15f68f9bf7acd95d4808990f11c
SHA1

d535c67a6938c2baef9a2e495bceb0f71c762622
SHA256

6161fdcd2661f9efc02f4a59e8f3ef25853d6a10b618e9acca6d0a5cb9a3e70d
SHA512

aa726e1fd1baa8cc8e774b2be9ef99174d176dc76737134e08449b152e1fe6f9baa8f87eacd25877326545169d70b6918b387aabddb3bbb1c6e9e7471cd2b575
SSDEEP

3072:IUWU+9KHAF7i873mvGgUrjjC27P1mPqcdw2f1M+S3oMdT//0cYdL7yetlp:nWUWKgV3WJqb7PMHdpEoMdYFvJtr

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\A3806\\E6ED3.exe"	0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3532-1-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3532-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3532-3-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3532-8-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3532-9-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3792-11-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3792-12-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3532-17-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3336-77-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3532-78-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/3532-172-0x0000000000400000-0x000000000048D000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 3792	3532	0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe	94
PID 3532 wrote to memory of 3792	3532	0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe	94
PID 3532 wrote to memory of 3792	3532	0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe	94
PID 3532 wrote to memory of 3336	3532	0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe	96
PID 3532 wrote to memory of 3336	3532	0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe	96
PID 3532 wrote to memory of 3336	3532	0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe startC:\Program Files (x86)\Internet Explorer\D3AA\1EC.exe%C:\Program Files (x86)\Internet Explorer\D3AA
  2⤵
  PID:3792
- C:\Users\Admin\AppData\Local\Temp\0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0f31c15f68f9bf7acd95d4808990f11c_JaffaCakes118.exe startC:\Program Files (x86)\06D8B\lvvm.exe%C:\Program Files (x86)\06D8B
  2⤵
  PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A3806\6D8B.380

Filesize
1KB

MD5
607cef9fecbb2e5b4f1d0a246bae86c4

SHA1
c07743de67933c3ab5a40d6ee91bc5009562767a

SHA256
32d7e9ddb6505217c2413049b48fd03d1f82217a1c7e7359a58765ca907b5d20

SHA512
c07c95710afcb4718fd85d2cbd45d3d1c14f8e889e85f126630af79339e323e71461c586b899bac436af93f38be1fb1d7ae483d6569cd514e75970b6360286bd

Download Submit
C:\Users\Admin\AppData\Roaming\A3806\6D8B.380

Filesize
600B

MD5
09cfffc46ca1cd8ecb3584c41e039ef6

SHA1
10442c82e26ffb5d911dfdb695a8d2e8199a96e5

SHA256
403981b9a2cacdb38811af4efbc8059efb77eb72387bdf3bc239e40d7c6bafdb

SHA512
fd6a76c0d01c8af869366aef7c339e194cfeb19cc372689dfd343e4df752ba67903597dff61669405f3b012bcf7e73c5a3907b83cab6892721187e74ab4e9b13

Download Submit
C:\Users\Admin\AppData\Roaming\A3806\6D8B.380

Filesize
996B

MD5
ceb9d38f54d2186494b7c628054d7486

SHA1
eeab1f9a5d7fb7ee48a1f52a57da6d1aac74a288

SHA256
afcae62721e40886750d2c1cf8039b5753b0cc232f592f621190bdb2dcb158bc

SHA512
e6de05d76bb01a7d97fb526b5785956e126621935ab920abf9c1052f7c42892f630e2f77c9fab8439be720f7f99d9bf847b661792f553bee5f2824ef51380e74

Download Submit
memory/3336-77-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3532-8-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3532-17-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3532-9-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3532-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3532-78-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3532-3-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3532-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3532-172-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3792-11-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3792-12-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads