340eb7ac37d096449c932d91455e50b8ac53c6a168e829b92c42c62ae00ea408

General

Target

15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe
Size

318KB
MD5

15353a8787dc29af32ffb48db605759f
SHA1

d814bc5b0a391372d61bbab8e5457e4fcf458ace
SHA256

340eb7ac37d096449c932d91455e50b8ac53c6a168e829b92c42c62ae00ea408
SHA512

0c34c1c9f60a7da4902aa27df9eca7549f6549589cd888033be6824df3785749c6350dfd94a64a0122389426fb46efed01ec1cbee168334b03613781d7d2349d
SSDEEP

6144:wa6PJyjrStMM1RmapjkY1/Ch/8RL+U1PWFvPJ88xb7u29uHc+zi3tCq92att8Rcb:wa6PJyjrStMM1QapjkoE/8RL+U1OFvhh

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	nvdisp.exe

Executes dropped EXE 1 IoCs

pid	Process
3272	nvdisp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\nvdisp.exe"	nvdisp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\nvdisp.exe"	nvdisp.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	whatismyip.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3272	nvdisp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe
Token: SeDebugPrivilege	3272	nvdisp.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 3272	1364	15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe	85
PID 1364 wrote to memory of 3272	1364	15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15353a8787dc29af32ffb48db605759f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\nvdisp.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\nvdisp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\89_MSUpdate.exe

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\nvdisp.exe

Filesize
318KB

MD5
15353a8787dc29af32ffb48db605759f

SHA1
d814bc5b0a391372d61bbab8e5457e4fcf458ace

SHA256
340eb7ac37d096449c932d91455e50b8ac53c6a168e829b92c42c62ae00ea408

SHA512
0c34c1c9f60a7da4902aa27df9eca7549f6549589cd888033be6824df3785749c6350dfd94a64a0122389426fb46efed01ec1cbee168334b03613781d7d2349d

Download Submit
memory/1364-6-0x000000001D5C0000-0x000000001D666000-memory.dmp

Filesize
664KB

Download
memory/1364-1-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/1364-4-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/1364-5-0x0000000001280000-0x0000000001288000-memory.dmp

Filesize
32KB

Download
memory/1364-0-0x00007FFE26425000-0x00007FFE26426000-memory.dmp

Filesize
4KB

Download
memory/1364-7-0x000000001D770000-0x000000001D792000-memory.dmp

Filesize
136KB

Download
memory/1364-11-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/1364-10-0x000000001D8A0000-0x000000001D8EC000-memory.dmp

Filesize
304KB

Download
memory/1364-12-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/1364-36-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/1364-3-0x000000001C100000-0x000000001C19C000-memory.dmp

Filesize
624KB

Download
memory/1364-2-0x000000001BC30000-0x000000001C0FE000-memory.dmp

Filesize
4.8MB

Download
memory/1364-13-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/3272-35-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/3272-37-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/3272-38-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/3272-40-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/3272-39-0x000000001C380000-0x000000001C3A2000-memory.dmp

Filesize
136KB

Download
memory/3272-41-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/3272-42-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download
memory/3272-55-0x000000001F650000-0x000000001F95E000-memory.dmp

Filesize
3.1MB

Download
memory/3272-56-0x00007FFE26170000-0x00007FFE26B11000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads