d1ce69c5fc34d3416c0eeb8dac05cbc663c36ef6fc130de4fea77a65d5fac902

General

Target

18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe
Size

176KB
MD5

18602e3fb8c739feba286d5996a989a9
SHA1

56543151b01e9a00dbda836df1d1d718c31c3092
SHA256

d1ce69c5fc34d3416c0eeb8dac05cbc663c36ef6fc130de4fea77a65d5fac902
SHA512

cb794444fbdf057bcc825510dbf017d30c995d1c87ad2f9021d4afe718ce5f52ab93046bb16664800355c922a8b9d3d457836d5d91b8f6aa4125e7c783bcaafa
SSDEEP

3072:+r7X5P0wL4TJgjflt9smv6XQdfZJazLElEzG/71ILqmMiWnkh:mtPtL4TJgj/9ogfuzKz15n6

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1900-1-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2828-4-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1900-65-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2104-67-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1900-157-0x0000000000400000-0x0000000000482000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2828	1900	18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe	28
PID 1900 wrote to memory of 2828	1900	18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe	28
PID 1900 wrote to memory of 2828	1900	18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe	28
PID 1900 wrote to memory of 2828	1900	18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe	28
PID 1900 wrote to memory of 2104	1900	18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2104	1900	18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2104	1900	18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2104	1900	18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\18602e3fb8c739feba286d5996a989a9_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4C2F.DFC

Filesize
300B

MD5
163bda01b758fcc95f4213ad259e7434

SHA1
77420a00804c281e67522e0238d569452e2ff515

SHA256
5b871657866cc06465c480f3fb0c79b4cbefdcca8f2b27abd57f3a0f6246d894

SHA512
a29a333664d7eebd665bdbe7f0248871a19fa80830ba54a01815fdf7df073a36db06dccd3835c3c8fac7845d66dbc619bf99a4dc58ff1719fdca136f0e2b8213

Download Submit
C:\Users\Admin\AppData\Roaming\4C2F.DFC

Filesize
1KB

MD5
49c7d0ad847736f212378dd0cf3afc65

SHA1
327f05a9c7d7a10f08a3f053874e3ff8c30d7699

SHA256
609f6b7b697e056c81913775dcdb91b08598aa6c40fd24e559d50167ae72db4f

SHA512
bbbeda68589a8432f4f9ce1cc328919e5d4a42d3f13cfb9d8ee36f3bac02d5d0f18d57cacb839653c0a92122c2b8968a8c760fc4383d4bc5f7c4ea9ce5abd8c0

Download Submit
C:\Users\Admin\AppData\Roaming\4C2F.DFC

Filesize
696B

MD5
2b13712cda03bc3011aff898c9a24344

SHA1
11ed4052b71c2bb982d94b67890ddd5243f5eb4a

SHA256
ef699bd6da6c89c77c734e27f0c93f7899c754d2f9636ba8f77e2392bdbfd831

SHA512
f93648a336f927e9e25bf5e616b9cccfddcf469aeb6ff6bc5c602cd54a9fcd97548252b04a87a8951154bc387bbc30f7ebdd8d67fdd4ccec17248644696791da

Download Submit
memory/1900-1-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1900-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1900-157-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2104-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2828-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads