f48afcae633ee525f655225353a6cecc8f7b5c7539330e12fa4464a298476566

General

Target

2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe
Size

188KB
MD5

2f20133f655b7b8d83c7fccf564a61b6
SHA1

406c1db4a9c97d8fc316dee39fe9658854c6654f
SHA256

f48afcae633ee525f655225353a6cecc8f7b5c7539330e12fa4464a298476566
SHA512

82919387085b20759c780b1e5682c25a4e1c8f6af69ae81d8256d8adfef5198869df3637800399d86ffae12dd74c26a040324e8768eff554815f0034182845ac
SSDEEP

3072:1Suac9DFvTiGqo62w4Lyomp9cWUmpLr06AiIzVNQGcTzGFO:xaoDxiGk2ErcC3AiIpNQJ

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4076-1-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/336-49-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/336-51-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/1304-113-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/4076-115-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/4076-224-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 336	4076	2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe	83
PID 4076 wrote to memory of 336	4076	2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe	83
PID 4076 wrote to memory of 336	4076	2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe	83
PID 4076 wrote to memory of 1304	4076	2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe	85
PID 4076 wrote to memory of 1304	4076	2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe	85
PID 4076 wrote to memory of 1304	4076	2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:336
- C:\Users\Admin\AppData\Local\Temp\2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2f20133f655b7b8d83c7fccf564a61b6_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8DC0.D56

Filesize
1KB

MD5
29bad9517b1772d1de816b3d5498614e

SHA1
0a8f2e5414f6322e05f8cd4043e720e8576b8ad3

SHA256
0d1ad2fc9ddfdf87a34304e6befc4c134d2670f92a8b279b6835d0d7d0a55b25

SHA512
eda6083e366f5a867b89b309d14ffd94bf9fceff04a551eff25909490a5409b160c64a68551ee846a8345f2ed8b135232cc99c1ebd69abc0df60b253b5667e9c

Download Submit
C:\Users\Admin\AppData\Roaming\8DC0.D56

Filesize
1KB

MD5
81f7e6f79aa9d64a3da5e6aef7f09b1b

SHA1
eb98e688f0866eb819d620db9522e5c67fec5361

SHA256
201506a201bc6d81c4ece28d67588044729a719d3fb634c0561cecd8de4de58d

SHA512
93ba7d7f18f4ff6c4f16a9dcd60da7098ead628bf623d705e8c87a2f61072780f2318f36d451b5c693b10addf7afe6ed1a818db12d9d83e4787972ffe61a83eb

Download Submit
C:\Users\Admin\AppData\Roaming\8DC0.D56

Filesize
1KB

MD5
7dcbdc767f2508b4d32fb3c454a915df

SHA1
35c3ec8c9225eae9ad344b7e5ab0c6028d49d651

SHA256
1892246c33c5c405e6c8e7362bf2681869fc7f938b90ee75144877a98ce7f82e

SHA512
b68b7c725bdde477ad2e6fe36118002d37ba556044505e4f980e3bdd09bd6bd180376ef80d09944f197c6f63f42053551ac5de9f26b4fcc34a8e345b3d0b8556

Download Submit
C:\Users\Admin\AppData\Roaming\8DC0.D56

Filesize
597B

MD5
55b153b06f9f584c6e2c7705b1676acb

SHA1
5dc7cf5f9216d4ddae4c1560efa720530a551d97

SHA256
3b0e4e0f61df7368731057cd3c58ae8405c075a3fff20781a3a7104123b70b9a

SHA512
b2d986988959a7876b0ad48011cd5477851b5c9b16217387b9b50081d2203c6468b7bc2433da49e31a172fba7d52d01568221a68555a711d44d46e310dd1b057

Download Submit
C:\Users\Admin\AppData\Roaming\8DC0.D56

Filesize
897B

MD5
aef4044e28a901f94f6cc3127f80f674

SHA1
7f3ede42a95edebd58a5e48eca9d487867341e54

SHA256
52eb805d3fb198c178194c3522b6da1c8b2936a73abf6b36a7bbea36c72297c5

SHA512
793a1f17c1d7b681a8708e711774ecd9b4573f724edf4f21e75b34aa4c4b4a5fd6681ac5aeac9adbf6e50301327a2ef95bcfa84b9d22c11efaf4d161f92ab164

Download Submit
C:\Users\Admin\AppData\Roaming\8DC0.D56

Filesize
297B

MD5
92b1382b3f799732ff7cc242fbf4bd13

SHA1
d4453ce353449d2965c7b9e6fc6bbb257db73e54

SHA256
e80d35be885cfc7655c87256b25cad156a9b7e78da954bbf7d78d90849e512b4

SHA512
2de146cc740dea170038d73554633a8dc207d1abac4411d1320b9b0d7ce8f1a6cc80bee292ffd06193e48ace5e2df8d96aa672ee8c59a9f3573cf80a11f37536

Download Submit
memory/336-49-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/336-51-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1304-114-0x00000000005E3000-0x0000000000601000-memory.dmp

Filesize
120KB

Download
memory/1304-113-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4076-115-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4076-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4076-224-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads