94a78c6548bb328bf372c9731191a30b3792c1f4ea735fa0369b220c3fe13afa

General

Target

1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe
Size

169KB
MD5

1758a92502716ebd2129088af3eec18b
SHA1

60c94a2f2e9132a6444ac5f0207a8cfa8f0beae9
SHA256

94a78c6548bb328bf372c9731191a30b3792c1f4ea735fa0369b220c3fe13afa
SHA512

c92d53405b2449ff705a745453e185364d3f234a59563cf873ebca5df56a0832ab1d1c22c895fc8f108f7319a4ec32ac4f49a9debfad1749d68c8df5f15f15cc
SSDEEP

3072:wD0f7eo/zMJ9NNx0m41Ps3JiKwRvic9a:wojemMJ9NNGf14ifNz9a

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3024-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2884-11-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/3024-75-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/752-84-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/3024-86-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/3024-192-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2884	3024	1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe	28
PID 3024 wrote to memory of 2884	3024	1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe	28
PID 3024 wrote to memory of 2884	3024	1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe	28
PID 3024 wrote to memory of 2884	3024	1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe	28
PID 3024 wrote to memory of 752	3024	1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe	30
PID 3024 wrote to memory of 752	3024	1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe	30
PID 3024 wrote to memory of 752	3024	1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe	30
PID 3024 wrote to memory of 752	3024	1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1758a92502716ebd2129088af3eec18b_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5894.E1F

Filesize
600B

MD5
17799694f2dd398def201dc8b7524e82

SHA1
12a0062d959c7d42cad0b3dea5d6c08a6ee82a66

SHA256
d5a45b896f6dd5fce7b7df6bba57c61d37c60630f2f743a7e0bf736c4adc7411

SHA512
929a4e9d83c9f18722eb1bdc867ae65d4f4b6233598747ed3dd3c117c60dfc943ad03f82d970ccc980863401c3842a92813d3231ea586dcb035df991328cbe01

Download Submit
C:\Users\Admin\AppData\Roaming\5894.E1F

Filesize
1KB

MD5
0e728bfe83dfd8a936d2cb404287a489

SHA1
b92045b5630ea1a36f1192c169393823d42c8a23

SHA256
5ea189c3317b6220c7d37d1987a4266d3e56b45170ad1515a554b13586b3b35c

SHA512
f6a9f93e8d4e966fdb9f12204ea3a01b503e7ed43312fd376ddc74a6dec012eeb74a0c3779dc4c42520d5c5c044912163709f72c559a742558e8d55f45b4e29a

Download Submit
C:\Users\Admin\AppData\Roaming\5894.E1F

Filesize
996B

MD5
13aefcfa1f61d59bc73cdb7a517f0ac1

SHA1
5ba9a8532b736910c7dbb44b04a74f94bec07ea1

SHA256
582ca7163f5f5e429df6e4a72f5677e4412e78e607bee5b0a204a25fca73d1c7

SHA512
7d80c34255ad903c17cf3acea9ea1c47fe091d0010c98843582b398309a075fc2bbb056df6b64e84a5a49071f9f08d34b598960b86a92bde849d2b8406484d5d

Download Submit
memory/752-85-0x00000000005C5000-0x00000000005DE000-memory.dmp

Filesize
100KB

Download
memory/752-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-12-0x00000000005A5000-0x00000000005BE000-memory.dmp

Filesize
100KB

Download
memory/3024-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3024-75-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3024-86-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3024-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads