46a819b87669db5e5c2dff87dd8fe09edab930a43fc98270f4b357d559fca6a1

General

Target

3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
Size

290KB
MD5

3131f57dfc1a398077f5739d109ed181
SHA1

a28cfc2248859de40b78c9be61794ed098b84af4
SHA256

46a819b87669db5e5c2dff87dd8fe09edab930a43fc98270f4b357d559fca6a1
SHA512

37e1ea1be0c9201f653eb760daff1fd69efe78d74c77626726ebcee90514120279d6480d0f2cb7a189b3ad504262d64a6f10d35fdc9673fc315ec35e61e4037e
SSDEEP

6144:s/u/NGn9a3Ku42+uBIW0KzkWdoJts8RuSMSZGpYYW3Vsa:s/INm9KKuF+uihKz1dVKs6YWlsa

Score

10^/10

evasion spyware stealer upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe:*:Enabled:Microsoft Update Sheduler"	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup.exe	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup.exe	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1168-0-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/1168-2-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/1168-4-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/1168-3-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/1168-6-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/1168-7-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/1168-8-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/1168-20-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/1168-22-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\O:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\R:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\S:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\V:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\H:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\K:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\M:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\N:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\U:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\X:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\W:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\E:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\I:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\J:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\L:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\P:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\T:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened (read-only)	\??\Y:	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\javafx-src.zip	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip	3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3131f57dfc1a398077f5739d109ed181_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1168-1-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1168-2-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1168-4-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1168-3-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1168-5-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1168-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1168-7-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1168-8-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1168-20-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1168-22-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads