bceb901a7c5b5e9ddbf2d74a5da4cbcf73c44c2d4bde6749cee8c4d53f38e775

General

Target

3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe
Size

186KB
MD5

3705cc2935a43d140d20f1d8ec41a9bb
SHA1

1b1a4088266bbf840ee363dead9524c883757998
SHA256

bceb901a7c5b5e9ddbf2d74a5da4cbcf73c44c2d4bde6749cee8c4d53f38e775
SHA512

13e5bd039ea0a54d2719f496acbf177f524c82236f5b42b4cc1d7adb0166d577274f59250637485082a2d623298dfa7a83b930307b2f72392b8a9189e007535f
SSDEEP

3072:0n6vBEEvERgS1z1/rUP44bqPvtiFEoZkz8sCPUqHVQ1OWHkRqi/3HuNGRFIcqEI1:csrWm44WPKEL8sC8qHq1OWHi/39RCcbS

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2144-3-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2180-4-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2180-5-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2180-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2144-9-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2912-12-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2912-13-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2144-15-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2144-16-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2144-217-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2180	2144	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	28
PID 2144 wrote to memory of 2180	2144	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	28
PID 2144 wrote to memory of 2180	2144	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	28
PID 2144 wrote to memory of 2180	2144	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	28
PID 2144 wrote to memory of 2912	2144	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	32
PID 2144 wrote to memory of 2912	2144	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	32
PID 2144 wrote to memory of 2912	2144	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	32
PID 2144 wrote to memory of 2912	2144	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\Windows\shell.exe%C:\Users\Admin\AppData\Roaming\Microsoft\Windows
  2⤵
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
1KB

MD5
1b6b0b034687b78ab8bdbf94c36b898c

SHA1
3a5c2568909a75c859282d6d024697fed030e375

SHA256
4c758959fdb5cce2186cb5a8828761e98a8d865c3ac93358d34cc836c679b048

SHA512
3107b625853520fc3a797e756a6cd187e7a101c9c050688bf9b0c250511d19167f81a2c0e6578b8afc88029f14bca72dfa24c65cd32bc3d17ce3254ad021df4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
1KB

MD5
12aaa6cc6766dc2a4c19ec8b1c2aa8a8

SHA1
ed3e59b2717cd5f534292f27f587d743ee85a3c3

SHA256
177c4dec13002a9e966067167729c8d7b861a159cf4b5c02dcf5212545cd81a3

SHA512
c0f128d29569d02cbf00fe14e96ebea19024a8e96b43544886ea523d67187a9b874e2ae72f50441bcff4a41daca4a24304024ecc06ee902c592d838c97ff2de0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
396B

MD5
6f97660b0a4719c516f0b2544b0ca5c5

SHA1
83c5a8f165f4b417d517b67e7b358b1ca35aecd3

SHA256
ee36e1c289143c356a17f65706be6d4d3dfe54067d0904c3a67156f2a501dfa4

SHA512
0f05cfc9acf0f7725d3d633edd7bac1c210e66711ce4aeb64df319d62e66eb3bc4b73d2bd595b1616b0e7d249767fe4372911607e098c8e9e9c322e3accd77d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
792B

MD5
0781afebb32dc98e2e8925f2a1eb12c4

SHA1
b93c2b2f8250e6856c8141ae9649e254c2984980

SHA256
e3734c7172b50e9faa8efb0d0e7d72b1ee93210b0c17be30f668e1ff4ea816f3

SHA512
101c1a527eb6a12619cdbc9adc9ff9edba04970aa43a3f2a01b0eb8d9b434866cad0a8e1a57d3d8f6e608d7610b533faf1318532330b16e9522525cfeba198c9

Download Submit
memory/2144-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-2-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/2144-1-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/2144-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2144-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2180-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2180-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2180-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads