942b77b9ebfa80d0fc14811cd748de83394ba6af6119d46815c101ffc0f43cb5

General

Target

3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe
Size

193KB
MD5

3499e53d0a6ccbb136d9ad46eafea2b6
SHA1

196c7e3ac3d629e94e66116afa42c7731c9be473
SHA256

942b77b9ebfa80d0fc14811cd748de83394ba6af6119d46815c101ffc0f43cb5
SHA512

d63d86348add6eee1d999e6087addf70831a672bc23bbbc88bf21a9eb1a16cb847db730433ec2bfa555b9f6e87731cc385caa734cc16928254a05bdaebb43c55
SSDEEP

3072:Rj5082HNdutceO8ijNz7T6sffiCpLCNZiCgKiq5zFAEyfiTPn4D4:Rj5CtdutcJH7TPffJKMC6Ey8nk4

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1768-1-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2428-13-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2816-70-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1768-72-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1768-162-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2428	1768	3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe	30
PID 1768 wrote to memory of 2428	1768	3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe	30
PID 1768 wrote to memory of 2428	1768	3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe	30
PID 1768 wrote to memory of 2428	1768	3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe	30
PID 1768 wrote to memory of 2816	1768	3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe	32
PID 1768 wrote to memory of 2816	1768	3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe	32
PID 1768 wrote to memory of 2816	1768	3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe	32
PID 1768 wrote to memory of 2816	1768	3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3499e53d0a6ccbb136d9ad46eafea2b6_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0402.072

Filesize
1KB

MD5
f59eb2f6c6cbc625b0003884e83f2516

SHA1
2049b089bd55da9df69df623916b1fedd86f588f

SHA256
c689c16f9b7cc8b8ec255d7b4408db7847883990fb6eb2d3a83794fd768a4584

SHA512
ba0dc552bdee00d5e448ca6ec93176fe8a65ca56b01c6e7b8de469846ef89604095ec92c20924ce952743b1786b2c2fcec2848335b21e668f9862e7a24d2c32d

Download Submit
C:\Users\Admin\AppData\Roaming\0402.072

Filesize
600B

MD5
daff7a6c38023940c2dc911107eb798e

SHA1
a877cdea95d5ae6977e9ebf0b7994c3a7e6868f5

SHA256
24cd661ec9be3ee5be2364a6aac532f86a028d3d6b1ccd0f45ff9ee2ccef28e3

SHA512
f4a0bea349ebaa0c0e4f6062052381822f08094739da79a3a808a41fb329c9822f48cb5db4faa7d38a363b1adc5a44477b99bc53f0ee9d0498e368af2128e84e

Download Submit
C:\Users\Admin\AppData\Roaming\0402.072

Filesize
996B

MD5
540eeb84273c0f794d21cb0f786c4d44

SHA1
5f2ee065af84e39db9bcdfd5127fef812de3861a

SHA256
bf687afbccffb7bc9e440866d99f388b06bee2f88f8952305ea92987a6006308

SHA512
43197674dfe2bd05a16961783fd6ddededd2d5af09f704dfc62fee4e629e54eb69911fc541905955270fa6ba90dcdceeb70b029466ee7f8ef73b5a6ee3212493

Download Submit
memory/1768-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1768-72-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1768-162-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2428-12-0x0000000000655000-0x0000000000670000-memory.dmp

Filesize
108KB

Download
memory/2428-13-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2816-70-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2816-71-0x00000000005C5000-0x00000000005E0000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads