0d665e8dc7db118b04260c5ef2c6e85d3f23cdce03858d6c7b05b4b3e8efc720

General

Target

14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe
Size

176KB
MD5

14c052c7e4efa9df46aff3c8b759c16d
SHA1

17173e660a11b9d8944e68e5770ec65d92f72a3c
SHA256

0d665e8dc7db118b04260c5ef2c6e85d3f23cdce03858d6c7b05b4b3e8efc720
SHA512

0863ad45a363f71b6281d4e67d14fe33c9355c650cf3de1a16a9502772e43ac1a627005a7c85efda9b3f6dd2565dfcac3a8000e630a5e15f6e64b7ab7f069de9
SSDEEP

3072:L1Su0AlSgH9NHwT03aqptRI1GIbI0WQc9y8i08ZdNYuDa9ZENROH6BhL2E:Lj0URj04aqLRI1G2c9yFFtBHNROO

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1200-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1200-1-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2976-12-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2404-77-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1200-79-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1200-182-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2976	1200	14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe	28
PID 1200 wrote to memory of 2976	1200	14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe	28
PID 1200 wrote to memory of 2976	1200	14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe	28
PID 1200 wrote to memory of 2976	1200	14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe	28
PID 1200 wrote to memory of 2404	1200	14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe	30
PID 1200 wrote to memory of 2404	1200	14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe	30
PID 1200 wrote to memory of 2404	1200	14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe	30
PID 1200 wrote to memory of 2404	1200	14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\14c052c7e4efa9df46aff3c8b759c16d_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\51F1.7EC

Filesize
1KB

MD5
a116941b7a2f7b694e8c36fce5785e71

SHA1
beba252becc3961f3001244d1bf96cf7550af06f

SHA256
53dde257d0fda1cdcd08757a6f116e5f99fe11d6915e31cd37371ab73fe5a624

SHA512
9275616cba3a02792ca9be57ff404453f348837f7655dceeba7b73d4ef70c8768670f84a7276f3864dfb234458e5704249b07422b4db7662ba48a47a5c6201b6

Download Submit
C:\Users\Admin\AppData\Roaming\51F1.7EC

Filesize
600B

MD5
fe4b6b57c790112afecabaf98fe04015

SHA1
ccbc70e2bba3a6699092ddb459879f9cd1b750c2

SHA256
d86b85fc540ea479e6f9035b202e09283276ec96749ebad9cd812e019471f9c9

SHA512
d7b3087360796fabe68168df43e17456da2d8f6508cb103f689f78d885830462d108fd3921402189993b9a0074b288bddb128632f4bd3a5cb21c9d24d61aadb4

Download Submit
C:\Users\Admin\AppData\Roaming\51F1.7EC

Filesize
996B

MD5
4e4e2cef9112fa6c8083fb80e2a9e89d

SHA1
f0ef4a2e0d18d595f02b72eafc89dbed9a1570d1

SHA256
c7a35b48f030fab2631b3f485c25c2a1029b7a02f8320240189b77414f88ba36

SHA512
2106d4b6b3ea811ddfcf4698308a8bbbc69cc152e92e62b0f6728b146089a08bb1334a0845130801ab2c45ca061fc846691055f275403400123a3ac2bda656fa

Download Submit
memory/1200-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1200-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1200-79-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1200-182-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2404-77-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2404-78-0x0000000000567000-0x0000000000583000-memory.dmp

Filesize
112KB

Download
memory/2976-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2976-13-0x00000000002D7000-0x00000000002F3000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads