c7dc414effdb429d1457515940fa3a2bfc80ce3164552bd1f8accebd446bb3ab

General

Target

175e0c992c5f16181773946803ce6624_JaffaCakes118.exe
Size

116KB
MD5

175e0c992c5f16181773946803ce6624
SHA1

e742a17932106109f3044b7b69777f3803d1fb4f
SHA256

c7dc414effdb429d1457515940fa3a2bfc80ce3164552bd1f8accebd446bb3ab
SHA512

57bb4f82dbc6f3ef35aadd1d09bdbce281c5f6cba70554c66bb21d24c4054f043784e7787064c6de62e9f3ac7af210ed4632d9e76a0279d0ced77416197080f0
SSDEEP

1536:sTXsDOMfOpK7fdHSFVo/sK7bpEVFTXlTVgkGmRoAjR3kMbRGSQXPXspp:sTcS9K7fdHDsK7VE7l6kGmRoe3kBLP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2536	windows.exe
2584	windows.exe

Loads dropped DLL 3 IoCs

pid	Process
2472	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe
2472	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe
2536	windows.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Login access = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe"	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Login access = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe"	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 2472	2292	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	28
PID 2536 set thread context of 2584	2536	windows.exe	30

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://redirecturls.info/"	windows.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2472	2292	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2472	2292	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2472	2292	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2472	2292	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2472	2292	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2472	2292	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2472	2292	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2472	2292	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2472	2292	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	28
PID 2472 wrote to memory of 2536	2472	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	29
PID 2472 wrote to memory of 2536	2472	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	29
PID 2472 wrote to memory of 2536	2472	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	29
PID 2472 wrote to memory of 2536	2472	175e0c992c5f16181773946803ce6624_JaffaCakes118.exe	29
PID 2536 wrote to memory of 2584	2536	windows.exe	30
PID 2536 wrote to memory of 2584	2536	windows.exe	30
PID 2536 wrote to memory of 2584	2536	windows.exe	30
PID 2536 wrote to memory of 2584	2536	windows.exe	30
PID 2536 wrote to memory of 2584	2536	windows.exe	30
PID 2536 wrote to memory of 2584	2536	windows.exe	30
PID 2536 wrote to memory of 2584	2536	windows.exe	30
PID 2536 wrote to memory of 2584	2536	windows.exe	30
PID 2536 wrote to memory of 2584	2536	windows.exe	30

C:\Users\Admin\AppData\Local\Temp\175e0c992c5f16181773946803ce6624_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\175e0c992c5f16181773946803ce6624_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\175e0c992c5f16181773946803ce6624_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\175e0c992c5f16181773946803ce6624_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Roaming\windows.exe
    "C:\Users\Admin\AppData\Roaming\windows.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Roaming\windows.exe
      "C:\Users\Admin\AppData\Roaming\windows.exe"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer start page
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\prefs.js

Filesize
6KB

MD5
544ea61d4d955627170593fb4a93d993

SHA1
3f2cbb57859b57b09900c50a7a0a43cf950c0cd2

SHA256
a2dadd7e30b3e398ea1d1ea736be489d075b2115eacdea9777996c44c79bb243

SHA512
2d340de11cb4803d772f1b272e70c0e34076dbbba530383662983ad1c219731f3d9b2778f2f339471a22bfee22389f914ef6d78aea40a27debfdbee6bef8b0a8

Download Submit
\Users\Admin\AppData\Roaming\windows.exe

Filesize
116KB

MD5
175e0c992c5f16181773946803ce6624

SHA1
e742a17932106109f3044b7b69777f3803d1fb4f

SHA256
c7dc414effdb429d1457515940fa3a2bfc80ce3164552bd1f8accebd446bb3ab

SHA512
57bb4f82dbc6f3ef35aadd1d09bdbce281c5f6cba70554c66bb21d24c4054f043784e7787064c6de62e9f3ac7af210ed4632d9e76a0279d0ced77416197080f0

Download Submit
memory/2292-0-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2292-1-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2472-8-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2472-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2472-6-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2472-12-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2472-14-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2472-15-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2472-4-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2472-2-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2536-27-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2536-26-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads