90062e6119e33002894556095c0a649a4b2b3fffd4a06923d3d85f1009c35b37

General

Target

2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
Size

38KB
MD5

2bd1fb53eaa50768839e2f0af0f28776
SHA1

128ed940f232e13e96b03132365ef17c54c5ac2a
SHA256

90062e6119e33002894556095c0a649a4b2b3fffd4a06923d3d85f1009c35b37
SHA512

37e851d8a71cb2885476528c929422f7db73e48b70579eef85f7369e373a3e809a641a91810a524168358e90f9dd07588de287a612aa08447c35f2b2610fdc74
SSDEEP

768:BDRyti+nKpMbrOhvLXcgQqTO/yXeL9+K62aHAAxgjxPvlZ4:bl+nKpUChvLXcgQ4uL4rNHAOKlvlZ4

Score

10^/10

evasion execution spyware stealer upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2520	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2520	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2356-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2356-11-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2356-15-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\midimap.dll	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msimg32.dll	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sysapp10.dll	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3020	sc.exe
3036	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2964	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2964	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2964	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2964	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	30
PID 2356 wrote to memory of 3020	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	31
PID 2356 wrote to memory of 3020	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	31
PID 2356 wrote to memory of 3020	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	31
PID 2356 wrote to memory of 3020	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	31
PID 2356 wrote to memory of 3036	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	32
PID 2356 wrote to memory of 3036	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	32
PID 2356 wrote to memory of 3036	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	32
PID 2356 wrote to memory of 3036	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	32
PID 2964 wrote to memory of 1644	2964	net.exe	36
PID 2964 wrote to memory of 1644	2964	net.exe	36
PID 2964 wrote to memory of 1644	2964	net.exe	36
PID 2964 wrote to memory of 1644	2964	net.exe	36
PID 2356 wrote to memory of 2520	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	37
PID 2356 wrote to memory of 2520	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	37
PID 2356 wrote to memory of 2520	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	37
PID 2356 wrote to memory of 2520	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	37
PID 2356 wrote to memory of 2520	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	37
PID 2356 wrote to memory of 2520	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	37
PID 2356 wrote to memory of 2520	2356	2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:1644
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3020
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:3036
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1720453282.dat, ServerMain c:\users\admin\appdata\local\temp\2bd1fb53eaa50768839e2f0af0f28776_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Service Stop

2

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1720453282.dat

Filesize
41KB

MD5
d239375a31f89dc6e0bcb23911182c30

SHA1
13bdbce0d2ca4eca245e96d5b6793968c44d0889

SHA256
8280227369f696e6f67f07b3379882f5e2b036c626f800f1c0e130e3f306e31a

SHA512
bae8368ede5d7263b0a4e22b801f220cba5ed9858dd0e059c36039e466f1307e24ce78cf1ad91b094cf4e1f5aaf4bd4b173fc15186105410e443a6438d95d53f

Download Submit
memory/2356-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2356-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2356-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing