6a8767ed4d25c0444d394a35f6e5ceede87c6f08d97682598eefd27d7457071c

General

Target

36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
Size

479KB
MD5

36655025d8d1ddf19b9780f2391c7acd
SHA1

e97b5500000c4614ba7c46cbc2bb6dd6fc2f1cfb
SHA256

6a8767ed4d25c0444d394a35f6e5ceede87c6f08d97682598eefd27d7457071c
SHA512

0df345a77bb09abfb0e9af3a7abe15c81dc5f87646115c5aa287c5528a7c919f11a8e68c58b2883e9dce2e0dc40d6bbc3f06f18d4e18b7b0d8d3e074ef6e86c8
SSDEEP

12288:79v4xR9UTVoi1U+yOsgqj2lC2I18DfqWdx49z6Bga:72xR9AV3O+7sgzp+8fdxZ

Score

9^/10

collection

Malware Config

Signatures

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2592-37-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2592-42-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2592-43-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/1392-86-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral1/memory/1392-82-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral1/memory/1392-87-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft

Executes dropped EXE 8 IoCs

Processes:

passstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exe

pid	process
2248	passstealer.exe
2592	passstealer.exe
824	passstealer.exe
1392	passstealer.exe
1236	passstealer.exe
1820	passstealer.exe
2380	passstealer.exe
844	passstealer.exe

Loads dropped DLL 7 IoCs

Processes:

36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exepassstealer.exe

pid	process
2780	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
2780	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
2780	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
2780	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
2248	passstealer.exe
2248	passstealer.exe
2248	passstealer.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

passstealer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	passstealer.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

passstealer.exe

description	pid	process	target process
PID 2248 set thread context of 2592	2248	passstealer.exe	passstealer.exe
PID 2248 set thread context of 824	2248	passstealer.exe	passstealer.exe
PID 2248 set thread context of 1392	2248	passstealer.exe	passstealer.exe
PID 2248 set thread context of 1236	2248	passstealer.exe	passstealer.exe
PID 2248 set thread context of 1820	2248	passstealer.exe	passstealer.exe
PID 2248 set thread context of 2380	2248	passstealer.exe	passstealer.exe
PID 2248 set thread context of 844	2248	passstealer.exe	passstealer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

passstealer.exepassstealer.exe

description pid process

Token: SeDebugPrivilege 2592 passstealer.exe
Token: SeDebugPrivilege 1392 passstealer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2628 DllHost.exe

description	pid	process
Token: SeDebugPrivilege	2592	passstealer.exe
Token: SeDebugPrivilege	1392	passstealer.exe

pid	process
2628	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exepassstealer.exe

description	pid	process	target process
PID 2780 wrote to memory of 2248	2780	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe	passstealer.exe
PID 2780 wrote to memory of 2248	2780	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe	passstealer.exe
PID 2780 wrote to memory of 2248	2780	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe	passstealer.exe
PID 2780 wrote to memory of 2248	2780	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe	passstealer.exe
PID 2248 wrote to memory of 2592	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2592	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2592	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2592	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2592	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2592	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2592	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2592	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2592	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2592	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 824	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 824	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 824	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 824	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 824	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 824	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 824	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 824	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 824	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 824	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1392	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1392	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1392	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1392	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1392	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1392	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1392	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1392	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1392	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1392	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1236	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1236	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1236	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1236	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1236	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1236	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1236	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1236	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1236	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1236	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1820	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1820	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1820	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1820	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1820	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1820	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1820	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1820	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1820	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 1820	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2380	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2380	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2380	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2380	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2380	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2380	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2380	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2380	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2380	2248	passstealer.exe	passstealer.exe
PID 2248 wrote to memory of 2380	2248	passstealer.exe	passstealer.exe

C:\Users\Admin\AppData\Local\Temp\36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\Desktop\passstealer.exe
"C:\Users\Admin\Desktop\passstealer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
PID:824

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1236

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
PID:1820

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
PID:2380

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
PID:844

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
33B

MD5
fec8656dbc9772ee24163ae3d57f41d9

SHA1
4e82071ada9bdc0002decba8b18b22a6dfdd127d

SHA256
7a3295b2c8c4797b8e5b4616bcc19bca30266371a54666855cbc67d443a3e4f4

SHA512
7c5965e41515a34db05c442587607bb51b6a3a8662df39513474f0d12c1236d882989d8c8bc99d24be27531c0e0df76af8c4beaf45e041767ab6ba2c72fc9326

Download Submit
C:\Users\Admin\Desktop\portrait_konny.jpg

Filesize
6KB

MD5
1abe34ea26f8a94f15023b0ff256949e

SHA1
601425b47463af5a5ffcacb87995a41cb7f3ca52

SHA256
5d4177116dcbf4a759cdbe88e87684932e3d5763067cc181dcf955c9e67148b6

SHA512
3bd495e09eecd0f38673abf2d5b20f62bd1b40a13c250baa61b1fae33d35d95245f0beb185938e290292b8628044fd8d040f9fed6432fb406218b29a58a6d04e

Download Submit
\Users\Admin\Desktop\passstealer.exe

Filesize
275KB

MD5
bec96c96ff53280aad44543234a1606b

SHA1
a230dbce7f3b73018e8c73923a7118c539798709

SHA256
afae687bf5a551d4c2bddadf1bfcd859606f698ece41970bdcf6ff36dd94f4af

SHA512
80efc60df3c9b9afd39041c4fc917a43026acb8bd35d6a23928567512cbc8bd2cc89ca32fca3fa56df23592d9bba2e350607de514b90618d1844c829f4613110

Download Submit
memory/824-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/824-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/824-69-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/824-50-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/824-52-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/824-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/824-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/824-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1236-89-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1392-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1392-82-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1392-87-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1392-80-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1392-75-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1392-86-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1392-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1392-78-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1820-116-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1820-122-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2248-16-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2592-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2592-37-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2592-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2592-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2592-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2592-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2592-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2592-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2592-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-48-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2628-46-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2628-160-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2780-45-0x00000000032F0000-0x00000000032F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads