13a3581a37706be4f1981aca5698e17148a0c72936349764a7588f58f5bb2cf7

General

Target

2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe
Size

191KB
MD5

2bc85ec3e2af255b36a3dbef4fb571dc
SHA1

17498d068aa728382146f856b3ed157f4016d660
SHA256

13a3581a37706be4f1981aca5698e17148a0c72936349764a7588f58f5bb2cf7
SHA512

16cd93da5720aa01ce26c9081eac4b00bbe224314ba690106d045be1a4bc6ae739be4adc78f8d3fa70c84f42b556ddfc27a3a9ab6e39aa9ae2a5bb619894ad9b
SSDEEP

3072:iDm8eGKHNU7haVnJWfqE7YFwsYx5mSnV19/kaUaq7oq2mrBYRwEE0yAEHB3t:iDmGMSQdqNYF5YxN1CTaq7woewEo

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-1-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2400-8-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2400-7-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2220-87-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/3060-90-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2220-206-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2400	2220	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2400	2220	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2400	2220	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2400	2220	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	30
PID 2220 wrote to memory of 3060	2220	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	33
PID 2220 wrote to memory of 3060	2220	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	33
PID 2220 wrote to memory of 3060	2220	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	33
PID 2220 wrote to memory of 3060	2220	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F625.9A9

Filesize
600B

MD5
8b41d37d36a251b8378cebfb706f1ae0

SHA1
2c7873cde4627cc838dc48edfe8bedbd59635e82

SHA256
a709edae3f707ef3f7ce315695be1968cd16ab60954be265fbfb289a33dff73c

SHA512
9f651ea919b7a5ae1b6bb559ffbb55fa28c9bca396635be14bc9ef579a003214a1b2012692b54af1fc3d35732c7ec44ed9eb57c9f4ec8352918d063fc5978ef3

Download Submit
C:\Users\Admin\AppData\Roaming\F625.9A9

Filesize
1KB

MD5
727e6713850be43a7be9151ce2443f8d

SHA1
9bcf5878d8ad4a5d06d3d361821e9d83d12ffc2e

SHA256
865ad060cbd26c9aa0632cc619e4b57aa38a48d32540038ad4a98c705577e5e1

SHA512
fdee2dc9a4ad7e71e10b099d3338f06122e16c321589aa44cfe17acb6910e89215351b058c53e8dc66c731412404c8c7f4232ac6c8655238ede6a316ea2f67e5

Download Submit
C:\Users\Admin\AppData\Roaming\F625.9A9

Filesize
1KB

MD5
6504d0cff3f5a165717f0b4cf9058192

SHA1
2d5ba5e25b2235b04fe890b4f41bc8c77a78aae3

SHA256
2179bd0cb8230c8ef1bb274646b629028c8d7c3ac56cfc619470f198b317d571

SHA512
47e15d059cac360ae32bb7a0cc4804052f9a3b60483e72572abbc25a10a8d7efc9a8e5dc1b3e6b019bedea8b0a70cab77b5e7697822ec1ef6a673421f83b63fb

Download Submit
memory/2220-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2220-87-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2220-206-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2400-8-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2400-7-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3060-90-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3060-89-0x0000000000915000-0x0000000000934000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads