07797de96091eb1834817520d51d4eb40d5a0cf18f10765dba3f2e3578928ce9

General

Target

176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe
Size

192KB
MD5

176e52512209fb6e15396cb8393f6fa8
SHA1

b00baa1c50de8b44b3fd493dcd5cce30d80fb7cb
SHA256

07797de96091eb1834817520d51d4eb40d5a0cf18f10765dba3f2e3578928ce9
SHA512

519da4cd4d0a812a306578d787ad542546bf2af1365ebff16fd5cbc6a0c054bdd45bd3ad14143e2d03ad73c35ff0470f4bfcd42a35d8c44696ee4bd65e564430
SSDEEP

3072:7kCTeuBtRP++rx61R1Ov81tkfRDx8DeWZvlEgH562gyCxbr5eRYWEpQj/5WZKzaT:7kCquBfP++rx6D1P1ER2DtlEgZ6nzZee

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2964-1-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/3016-11-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/3016-14-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/3016-13-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2964-74-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2772-76-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2964-182-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 3016	2964	176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe	28
PID 2964 wrote to memory of 3016	2964	176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe	28
PID 2964 wrote to memory of 3016	2964	176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe	28
PID 2964 wrote to memory of 3016	2964	176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2772	2964	176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2772	2964	176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2772	2964	176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2772	2964	176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\176e52512209fb6e15396cb8393f6fa8_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2F40.5EE

Filesize
1KB

MD5
0591d8b986f4fdc576150719baa5f246

SHA1
10f8e40fbc16f340758591175316433ca1a1e53c

SHA256
030c703078d9e9a747390222ec2595c2fffa604b37ef55aafee5b509ca7f1299

SHA512
50aee9ecbca8a8b6aaf078d3531e79f5f61b18e043712939514f775ffc36567d18b01edd700e987db01c0921541294750db2fd95d7a24781c4d5e51798a201ce

Download Submit
C:\Users\Admin\AppData\Roaming\2F40.5EE

Filesize
600B

MD5
70ccbe6d40a109069b6cfeb6ca54f0a2

SHA1
00cac0ab4493113b879c33a4eb29cc640d9648e8

SHA256
b8cdadd7c4fda31e78955a3f0ef6d38d1b8aa8021bad7508f1600170c88479c1

SHA512
502235a1e943808760e1605415892bc3ff314a4b0dded44996c9fea5521ffa583e07170d385e59916166e5f5a7e13d4212b6d0860efdf3bfa16d0cb2eab50a96

Download Submit
C:\Users\Admin\AppData\Roaming\2F40.5EE

Filesize
996B

MD5
09b0a24fe601866e345371204de116ba

SHA1
45b9c168b4e5e413a0544c8bd2ea296a81ba240c

SHA256
6ec1fc4af50d4b978cc4017fb1ba76d49bf48bd0214343884e044d970df82570

SHA512
eb13f601bf190fb41cbca1252e6957767159968a5a7ef29789518bdcb5d2c369bd26071809dd42b2abcd586498a233b9213629127d582757d9bdfca3f6ac8072

Download Submit
memory/2772-76-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2964-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2964-74-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2964-182-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3016-11-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3016-14-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3016-13-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads