6b50f3af595ff3a51bc04531187e401f7460a75abc6ac0257bc5eda82f94317b

General

Target

0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe
Size

2.0MB
MD5

0f8a4510740a19cdc29a0499b5c9f594
SHA1

340def1a0a71c7880487f3876e0085cdfb875dd5
SHA256

6b50f3af595ff3a51bc04531187e401f7460a75abc6ac0257bc5eda82f94317b
SHA512

211baa514fe93ef493e203138e08b519ee353b7e65f1d794f628dbe97ade419e996b073d461715e7b8637d260a466f26e01f4b017be5e78c108283ebf5659c4d
SSDEEP

24576:AJLCYxNdGsWBojicYFAcIpz6RIglPzCTECxFiFrqqCPHdAgBfMRU02uwSMPTGS2D:A/icYFAyRJC2rtCPHjNbdyhbrt2

Score

10^/10

spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
superco0lpw

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe	0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe
File opened for modification	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe	0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1664	WinRAR.4.01.x32.en.tano1221.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4124	0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4124	0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe
1664	WinRAR.4.01.x32.en.tano1221.exe
1664	WinRAR.4.01.x32.en.tano1221.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 1664	4124	0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe	84
PID 4124 wrote to memory of 1664	4124	0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe	84
PID 4124 wrote to memory of 1664	4124	0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f8a4510740a19cdc29a0499b5c9f594_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\WinRAR.4.01.x32.en.tano1221.exe
  "C:\Users\Admin\AppData\Local\Temp\WinRAR.4.01.x32.en.tano1221.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WinRAR.4.01.x32.en.tano1221.exe

Filesize
1.4MB

MD5
197f2a312de2f0586e27a8778e4759a5

SHA1
864aeb5714e150ce2d284b11fb7de912be1730e5

SHA256
83c8f74938e605804dd4a946c3309c5af7f540b6271227d7af01b2d824bb67af

SHA512
0bde6221eb8d3678acc4f020c248683703f3bb5c5583966362a3c0cae0245ca79385df8da436bf49f12a53e6fa483b7c13f3941da3d12f1f50822cddb3d7111c

Download Submit
memory/4124-11-0x000000001C0E0000-0x000000001C0E8000-memory.dmp

Filesize
32KB

Download
memory/4124-1-0x000000001C5E0000-0x000000001CAAE000-memory.dmp

Filesize
4.8MB

Download
memory/4124-4-0x00007FFDE87D0000-0x00007FFDE9171000-memory.dmp

Filesize
9.6MB

Download
memory/4124-3-0x000000001CAB0000-0x000000001CB56000-memory.dmp

Filesize
664KB

Download
memory/4124-5-0x000000001CD60000-0x000000001CDC2000-memory.dmp

Filesize
392KB

Download
memory/4124-8-0x000000001D540000-0x000000001D5DC000-memory.dmp

Filesize
624KB

Download
memory/4124-10-0x000000001CB60000-0x000000001CB82000-memory.dmp

Filesize
136KB

Download
memory/4124-0-0x00007FFDE8A85000-0x00007FFDE8A86000-memory.dmp

Filesize
4KB

Download
memory/4124-2-0x00007FFDE87D0000-0x00007FFDE9171000-memory.dmp

Filesize
9.6MB

Download
memory/4124-20-0x00007FFDE87D0000-0x00007FFDE9171000-memory.dmp

Filesize
9.6MB

Download
memory/4124-12-0x000000001D9A0000-0x000000001D9EC000-memory.dmp

Filesize
304KB

Download
memory/4124-21-0x00007FFDE87D0000-0x00007FFDE9171000-memory.dmp

Filesize
9.6MB

Download
memory/4124-22-0x0000000020D50000-0x000000002105E000-memory.dmp

Filesize
3.1MB

Download
memory/4124-24-0x00007FFDE8A85000-0x00007FFDE8A86000-memory.dmp

Filesize
4KB

Download
memory/4124-25-0x00007FFDE87D0000-0x00007FFDE9171000-memory.dmp

Filesize
9.6MB

Download
memory/4124-26-0x00007FFDE87D0000-0x00007FFDE9171000-memory.dmp

Filesize
9.6MB

Download
memory/4124-27-0x00007FFDE87D0000-0x00007FFDE9171000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing