14aea75e6708aa6c774811c29c8e8cd25d8165248809d2f80836d8f71d494114

General

Target

22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe
Size

189KB
MD5

22e7f64565236e2508a4a62c2287346a
SHA1

b40c0fc9a39b9cf2f2a9e010aebb592a0a7efd30
SHA256

14aea75e6708aa6c774811c29c8e8cd25d8165248809d2f80836d8f71d494114
SHA512

85b661f90d1f16817fa8301b05c82b5b9b6f4501e7eeedd5061aa130288fc438ccdeb8a958f4782c36b6db8428d117e287d8d0d5567df1ecde0665dc6214f88e
SSDEEP

3072:5PRCsaLwju5S248EQ8pyesOL7/jzjNrlU+e3ofbKmqC0ud2PIujzjDleOeJP+CDS:5PRkmfD4esY7/zNRUN34KtC0ucPIujzG

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2132-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2636-11-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2636-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2636-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2132-88-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2900-89-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2636-160-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2132-197-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2636	2132	22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2636	2132	22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2636	2132	22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2636	2132	22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2900	2132	22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2900	2132	22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2900	2132	22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2900	2132	22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\22e7f64565236e2508a4a62c2287346a_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FFF8.636

Filesize
1KB

MD5
2238577d6017e9d0838e36ad313ca7ff

SHA1
eba51f93041e5a38114f283609f7dc79c13ad67f

SHA256
e77e2f4071ddffb14d36998f37e4554990404ffd8451abc967f54cadacc3a612

SHA512
acd5307fb4d298b4beba90639ed1e72fe269c9f94d9436a780025bf0a23ecd2fc015f9c8cf409e5b32ff3123a378b731de52cbacdba021dca8999ed16337ebb5

Download Submit
C:\Users\Admin\AppData\Roaming\FFF8.636

Filesize
600B

MD5
417a0c28629697c3ad3489e87f952cb5

SHA1
bd6cda311de68870eb6f997de443af1d10e7a916

SHA256
351e66a7e997778922327fe1b6751c7557a948693271c3155b13dbdd7819bdbe

SHA512
842184d10ba7ce119ce079b53631800f82996cc09152abfe67608676421bd7ba90c5f6453e09a19ce0961c8a74b4bf2b1e67e8c86dd42800d185dfe34b316331

Download Submit
C:\Users\Admin\AppData\Roaming\FFF8.636

Filesize
996B

MD5
dc374da1548312716a38f5741edd3ec3

SHA1
b7dcc2eca02673450f96f648fe25344246adf534

SHA256
aacf833d568ccecfc64af2685056af38dc45f7149c4bf99a9a80a085f6f609c9

SHA512
13cbdd2bac46d1d12437e5fcb6e6b54e5465f4b7f64815fa64e18d2aa8e4958265f5f9701be3ad5dbc6ca9d5eac68b377f0a0db2bd1a61724bab095dd218e4c8

Download Submit
memory/2132-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2132-88-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2132-197-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2636-11-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2636-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2636-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2636-160-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2900-89-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads