ce28755f407941f29c0883030febd2a022673655bd2882f35676257fb454c8aa

General

Target

23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe
Size

863KB
MD5

23e0d4eac652233daf43549d869faf38
SHA1

bf31defb313f8b16bfada89474b55548fefd9332
SHA256

ce28755f407941f29c0883030febd2a022673655bd2882f35676257fb454c8aa
SHA512

5afe74e0625f9b7afcefe6d2fd1706ce85074e9d363cd3b20eef2854de6675c524543448212c3e099d2376ad81af9eba8d08085d411922908bca9ddda27ee422
SSDEEP

12288:5ZeSGV/1CGR2XAVcA8uboROFVYqkNHBv3s3u/RnAm1Jihez98+Nm/LJmxm755+D0:q5H8QhFKvfqQrkkwk6MG+IbWyZ

Score

10^/10

spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
1q2w3e4r5t6y

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RfTOuESDiKGAjVfVsry.exe

Executes dropped EXE 6 IoCs

pid	Process
4200	I love you.exe
4936	0.exe
4184	I love you.exe
448	0.exe
1516	RfTOuESDiKGAjVfVsry.exe
1272	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\Windows Firewall\config\svchost.exe	RfTOuESDiKGAjVfVsry.exe
File opened for modification	C:\Windows\System32\Windows Firewall\config\svchost.exe	RfTOuESDiKGAjVfVsry.exe
File opened for modification	C:\Windows\system32\Windows Firewall\config\svchost.exe	RfTOuESDiKGAjVfVsry.exe
File opened for modification	C:\Windows\system32\Windows Firewall	RfTOuESDiKGAjVfVsry.exe
File opened for modification	C:\Windows\system32\Windows Firewall\config	RfTOuESDiKGAjVfVsry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4936	0.exe
4936	0.exe
4936	0.exe
4936	0.exe
4936	0.exe
4936	0.exe
4936	0.exe
4936	0.exe
4936	0.exe
4936	0.exe
4936	0.exe
448	0.exe
448	0.exe
448	0.exe
448	0.exe
448	0.exe
448	0.exe
448	0.exe
448	0.exe
448	0.exe
448	0.exe
448	0.exe
1516	RfTOuESDiKGAjVfVsry.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4936	0.exe
448	0.exe
1272	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	I love you.exe
Token: SeDebugPrivilege	4184	I love you.exe
Token: SeDebugPrivilege	4936	0.exe
Token: SeDebugPrivilege	448	0.exe
Token: SeDebugPrivilege	1516	RfTOuESDiKGAjVfVsry.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1516	RfTOuESDiKGAjVfVsry.exe
4936	0.exe
448	0.exe
1272	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 4200	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	83
PID 3292 wrote to memory of 4200	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	83
PID 3292 wrote to memory of 4200	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	83
PID 3292 wrote to memory of 4936	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	84
PID 3292 wrote to memory of 4936	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	84
PID 3292 wrote to memory of 4184	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	85
PID 3292 wrote to memory of 4184	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	85
PID 3292 wrote to memory of 4184	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	85
PID 3292 wrote to memory of 448	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	86
PID 3292 wrote to memory of 448	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	86
PID 3292 wrote to memory of 1516	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	87
PID 3292 wrote to memory of 1516	3292	23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe	87
PID 1516 wrote to memory of 1272	1516	RfTOuESDiKGAjVfVsry.exe	88
PID 1516 wrote to memory of 1272	1516	RfTOuESDiKGAjVfVsry.exe	88

C:\Users\Admin\AppData\Local\Temp\23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23e0d4eac652233daf43549d869faf38_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\I love you.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\I love you.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4936
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\I love you.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\I love you.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:448
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\RfTOuESDiKGAjVfVsry.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\RfTOuESDiKGAjVfVsry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\system32\Windows Firewall\config\svchost.exe
    "C:\Windows\system32\Windows Firewall\config\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0.exe

Filesize
456KB

MD5
d65f5a594aa97b708c585b0c0f62c7b5

SHA1
793ed8092b3f4bb0a7ccb1260a9c711b5598da7c

SHA256
1145c82ae33ff22f62ea59f20b3845b2b9d5ad904515db81a64e6f6afa7f034a

SHA512
e2e85764a2e801e7d76d983a04c81a82f6741f1a870923e5d0a6a331e0945d3d48ac775ace7e56375c327e76c42319427eb94576c4df2c5cc315efbcc5348f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\I love you.exe

Filesize
89KB

MD5
ebcd394914716014495fb12ea00416b0

SHA1
dff5c6257d9aa0e42a7547e4c1845a856cb1b297

SHA256
1a172dc6f95e23da267884ee6dd375e24e307c2ff050f64dcc5e254b6027ca6e

SHA512
531fbf8cfb1de5a600a263535a0b3a03bd8a6328512e57dc3e5398a198778e9d97c081e896d7a48ce3527aa8632d2576b7aa9ad34eadb2f95b9c6ca3447ea4b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\RfTOuESDiKGAjVfVsry.exe

Filesize
56KB

MD5
a270250b8dc80af3b4ed1d44da7edff5

SHA1
97f4afa2e719f345c8c49759511a80d56550268d

SHA256
9bd065dc321f476444c9a3c8cf18e9f20d634fff637fa3b1a324aec76b77bc20

SHA512
a09c3d7b338f52066de41a5231863afef1fa3a1a8ac04d4ba414a3bb53ed956de44f4bfa2fb942200975f67e1a60bb7a4eb3abd4d00d90994e548906c7ce8ab5

Download Submit
memory/3292-3-0x000000001C8F0000-0x000000001C996000-memory.dmp

Filesize
664KB

Download
memory/3292-5-0x00007FFF67150000-0x00007FFF67AF1000-memory.dmp

Filesize
9.6MB

Download
memory/3292-2-0x000000001C420000-0x000000001C8EE000-memory.dmp

Filesize
4.8MB

Download
memory/3292-1-0x00007FFF67150000-0x00007FFF67AF1000-memory.dmp

Filesize
9.6MB

Download
memory/3292-0-0x00007FFF67405000-0x00007FFF67406000-memory.dmp

Filesize
4KB

Download
memory/3292-45-0x00007FFF67150000-0x00007FFF67AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4184-69-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/4184-49-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/4200-50-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/4200-70-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/4936-44-0x00007FFF67150000-0x00007FFF67AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4936-47-0x00007FFF67150000-0x00007FFF67AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4936-46-0x0000000001670000-0x0000000001678000-memory.dmp

Filesize
32KB

Download
memory/4936-48-0x000000001CA30000-0x000000001CA7C000-memory.dmp

Filesize
304KB

Download
memory/4936-67-0x00007FFF67150000-0x00007FFF67AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4936-68-0x00007FFF67150000-0x00007FFF67AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4936-42-0x000000001C8D0000-0x000000001C96C000-memory.dmp

Filesize
624KB

Download
memory/4936-38-0x00007FFF67150000-0x00007FFF67AF1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing