e2f3d9ed24f2318cbda5f3a4a80eb46204e9a191978c9b73971ecfc4b5f5dbe7

General

Target

2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe
Size

552KB
MD5

2ac464aac49537a0c6c023c30c5f2cb1
SHA1

5689ec2fb93013842400e37b4d5b05b56084e31d
SHA256

e2f3d9ed24f2318cbda5f3a4a80eb46204e9a191978c9b73971ecfc4b5f5dbe7
SHA512

07bbfcbe64be67125f6b32b8bf5653fd31b129761cc147f0840bd4197470961e4a7e2a3d70f91a28ce1c63845f6d758a9f73adebac5b6bc209326fbefb405359
SSDEEP

6144:Sf/YnyF5SW3tYJaFXcfowRppuyF5SW3tgJaFr7555/4zAaEpV3s6tdm5:SfJ/R3Yeao6ppZ/R30eufEpvu

Score

10^/10

spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
Smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
Spanglish1

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

RsBotAuthGenv1.6.exe

description	ioc	process
File created	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogin.exe	RsBotAuthGenv1.6.exe
File opened for modification	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogin.exe	RsBotAuthGenv1.6.exe

Executes dropped EXE 3 IoCs

Processes:

RSBots_Auth_Gen.exeRsBotAuthGenv1.6.exeMicrosoftnet.exe

pid process

5044 RSBots_Auth_Gen.exe
4576 RsBotAuthGenv1.6.exe
3484 Microsoftnet.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5044	RSBots_Auth_Gen.exe
4576	RsBotAuthGenv1.6.exe
3484	Microsoftnet.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 whatismyip.com

flow	ioc
13	whatismyip.com

Drops file in Windows directory 3 IoCs

Processes:

2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

RsBotAuthGenv1.6.exe

pid process

4576 RsBotAuthGenv1.6.exe
4576 RsBotAuthGenv1.6.exe
4576 RsBotAuthGenv1.6.exe
4576 RsBotAuthGenv1.6.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Microsoftnet.exe

pid process

3484 Microsoftnet.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RsBotAuthGenv1.6.exe

description pid process

Token: SeDebugPrivilege 4576 RsBotAuthGenv1.6.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoftnet.exe

pid process

3484 Microsoftnet.exe

pid	process
4576	RsBotAuthGenv1.6.exe
4576	RsBotAuthGenv1.6.exe
4576	RsBotAuthGenv1.6.exe
4576	RsBotAuthGenv1.6.exe

pid	process
3484	Microsoftnet.exe

description	pid	process
Token: SeDebugPrivilege	4576	RsBotAuthGenv1.6.exe

pid	process
3484	Microsoftnet.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exeRsBotAuthGenv1.6.exe

description	pid	process	target process
PID 3248 wrote to memory of 5044	3248	2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe	RSBots_Auth_Gen.exe
PID 3248 wrote to memory of 5044	3248	2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe	RSBots_Auth_Gen.exe
PID 3248 wrote to memory of 4576	3248	2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe	RsBotAuthGenv1.6.exe
PID 3248 wrote to memory of 4576	3248	2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe	RsBotAuthGenv1.6.exe
PID 4576 wrote to memory of 3484	4576	RsBotAuthGenv1.6.exe	Microsoftnet.exe
PID 4576 wrote to memory of 3484	4576	RsBotAuthGenv1.6.exe	Microsoftnet.exe

C:\Users\Admin\AppData\Local\Temp\2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ac464aac49537a0c6c023c30c5f2cb1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\RSBots_Auth_Gen.exe
"C:\Users\Admin\AppData\Local\Temp\RSBots_Auth_Gen.exe"
2⤵
- Executes dropped EXE
PID:5044

C:\Users\Admin\AppData\Local\Temp\RsBotAuthGenv1.6.exe
"C:\Users\Admin\AppData\Local\Temp\RsBotAuthGenv1.6.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\Microsoftnet.exe
C:\Users\Admin\AppData\Local\Temp\Microsoftnet.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoftnet.exe

Filesize
18KB

MD5
ddaa9ac21ce4316190e2a8780f9aa4d2

SHA1
0721e72c05adf6eae41d1af7fb4a47463a7a2202

SHA256
5daea85cf593f2bae2877b407bb1f774f030a70fd4f28167e1accea350176960

SHA512
17b74eda39863bf4738275b6b2df7429f6bbf0cbc43445f19e3dfd2cfa8e78907e33d39fdf5dee0652cf9676e0bb05889a05ae9c5dffa787012da6ba25594d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSBots_Auth_Gen.exe

Filesize
332KB

MD5
8f22bc0e8e470eaa5db321104a3b57d8

SHA1
084589806236369e72d2a73d92efb6aec0fb6b7a

SHA256
647740f31ff7cb91213c330a98f1edf0cdcdb5b0268a0bdeac99e9c0153b8e88

SHA512
b1b553851016bbecbe98e73d8941156365baf6f899460851d20a41287160a0035eddf90dff65a3c24d4a368db81f15b98e874a7e06cb6d2ae631ae3fc3341437

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsBotAuthGenv1.6.exe

Filesize
182KB

MD5
88842b5508bfbb6a6c580380d87b0541

SHA1
a1e7bf9e2e6ac4756c13c1dce61b89475d97e237

SHA256
9491638673574e4eb1b6dc4e29484c89ff107948afaaf47c17464881c73c8917

SHA512
18c884eabed1a3fbc52007f73ba0a0b8f684d37f40e2f150cbd59d87d75250fe5df91c2e2cf4fcd73fba2f81d6ad5b8089e34a2b66e0445b203c3224392d5d9a

Download Submit
memory/3248-6-0x000000001B870000-0x000000001B878000-memory.dmp

Filesize
32KB

Download
memory/3248-4-0x000000001BF30000-0x000000001C3FE000-memory.dmp

Filesize
4.8MB

Download
memory/3248-5-0x000000001C4F0000-0x000000001C58C000-memory.dmp

Filesize
624KB

Download
memory/3248-36-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download
memory/3248-7-0x000000001C650000-0x000000001C69C000-memory.dmp

Filesize
304KB

Download
memory/3248-8-0x000000001B8D0000-0x000000001B8D6000-memory.dmp

Filesize
24KB

Download
memory/3248-12-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download
memory/3248-3-0x000000001B9B0000-0x000000001BA56000-memory.dmp

Filesize
664KB

Download
memory/3248-2-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download
memory/3248-1-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download
memory/3248-0-0x00007FFCB2E45000-0x00007FFCB2E46000-memory.dmp

Filesize
4KB

Download
memory/4576-41-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download
memory/4576-39-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download
memory/4576-40-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download
memory/4576-42-0x000000001CF20000-0x000000001CF82000-memory.dmp

Filesize
392KB

Download
memory/4576-43-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

Filesize
48KB

Download
memory/4576-44-0x000000001FDD0000-0x00000000200DE000-memory.dmp

Filesize
3.1MB

Download
memory/4576-52-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download
memory/5044-38-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download
memory/5044-37-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download
memory/5044-35-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download
memory/5044-51-0x00007FFCB2B90000-0x00007FFCB3531000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads