59ca0250355e1ab36084e39541a6e1cd07869a8e96f5c4c3bc0ba290a4276589

General

Target

1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe
Size

176KB
MD5

1b2a23c210f724701ee20134dd8b9b6f
SHA1

ef533c90fdebe53f5735b586943cf395cac2129f
SHA256

59ca0250355e1ab36084e39541a6e1cd07869a8e96f5c4c3bc0ba290a4276589
SHA512

018fd6da3761e7fbdc5270fb055feeaa81d743959327f85ef73fd1afd8d034ac81f825590969bf1f57e898b2889704d46581aa1d3e1b249b3eecdd00d6d32951
SSDEEP

3072:OblnYGRMOv/6JElJ6m/k+bD8yDDqhzJbn5BCMngmz+oFmR6XQfg9loG4LOG8WnC:OSGLJ6m/fX8kDqpJD5UMngmKoF6fpG4X

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2040-1-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2768-12-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2040-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2172-80-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2172-82-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2040-83-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2040-175-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2768	2040	1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2768	2040	1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2768	2040	1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2768	2040	1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2172	2040	1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2172	2040	1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2172	2040	1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2172	2040	1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1b2a23c210f724701ee20134dd8b9b6f_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\03E8.424

Filesize
1KB

MD5
82076d123ccfb896f71192604f73c8e5

SHA1
f7d1e4e7c833497662746f80f0e632cca7da9464

SHA256
7dc0e4994f12a2f3a95f1008fc62a4d135bdb9574f2b607dd8ed641ecbd3f99a

SHA512
d15abbe63a76df17126154a5ebc51693793d833bb1f2eb0122988faf197a135ce5bb6c93cf7f3875f46ef77d20eadc51dbdea76988470f1002c8e98397438600

Download Submit
C:\Users\Admin\AppData\Roaming\03E8.424

Filesize
600B

MD5
14a05b8fc937e97a59334c77eee713fc

SHA1
c4ace42de74ba9d313c07bd3172e97d5b66956b8

SHA256
580b6f2e7d510e3fbd56095539d1e203fcb671f648316e815bab3bfc8e70631e

SHA512
d2279abcb68c7c7c64f5cedfa6332e4ad808fbbcf776b3f2cf542bb733795ccbd9c949ec8dbd8dbd1685651aea1a9dab80220ca9166e774bd19ea55016fff4cd

Download Submit
C:\Users\Admin\AppData\Roaming\03E8.424

Filesize
996B

MD5
4d6970ec1e3a2fe8ec499cb6b4b74095

SHA1
9906cc71415b6a602e0d0e7be3a3ad5662689bbc

SHA256
da6a44ac89132b050fc5539c0c9f03f3e09b1b3db8b0cf13bafd66911bbe7be4

SHA512
1c75dd074463dea2fcb9bbf065fe3036201fc319d0d0cfe8e639b38ee8b357f678300aa5f1f3d160e3fb0cbeec2c37b2270dddfefa0e32a08e4b96e83af8c21c

Download Submit
memory/2040-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2040-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2040-83-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2040-175-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2172-80-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2172-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-13-0x0000000000278000-0x0000000000295000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads