188fc5d31f0900cdb91120152068d190c45d003694a8315b3e8b0ba7a10be2c4

General

Target

393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe
Size

167KB
MD5

393370ac8b5477a56f4e3d3d066fafe6
SHA1

f284628861a35983facba6a7670afd6143226ff0
SHA256

188fc5d31f0900cdb91120152068d190c45d003694a8315b3e8b0ba7a10be2c4
SHA512

3f9459b5a55cbb3b7b5033a7f51324a021ee8be1bec605bd8905e62f0e947d39d0d4501b5ffb6dfd1d4885e21357b0484db77a62fc904eeabdf7fdffcca75f60
SSDEEP

3072:9vzbnLeqHfZRcyQH+t+Cw8BiS5Jc/1yg2rRB87bXD0eQ6MqdSW6k7nSt7sXwN:hbV/ZRcHH2+D8oXh2rT8fvok7Wb

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-1-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1848-4-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2204-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3000-72-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2204-73-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2204-160-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2204-199-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1848	2204	393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe	30
PID 2204 wrote to memory of 1848	2204	393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe	30
PID 2204 wrote to memory of 1848	2204	393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe	30
PID 2204 wrote to memory of 1848	2204	393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe	30
PID 2204 wrote to memory of 3000	2204	393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe	33
PID 2204 wrote to memory of 3000	2204	393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe	33
PID 2204 wrote to memory of 3000	2204	393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe	33
PID 2204 wrote to memory of 3000	2204	393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\393370ac8b5477a56f4e3d3d066fafe6_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\350B.300

Filesize
1KB

MD5
f7413415400c20e12c54ad065079114d

SHA1
f669fceda0b112f6500907e6cd5cc613e3d38830

SHA256
6bade3435ff552d8854d1e6e8b57c294c0107bae77deb3918a5c321022b26a97

SHA512
a9cd3f8bb3c9de857e31cbc0f527e3089e1ad6d84903174dcb0ed5d743f48570697f97773c532616b1b7a9c4aee1a8098688a1d823773f18827503f0ff83ba69

Download Submit
C:\Users\Admin\AppData\Roaming\350B.300

Filesize
600B

MD5
7bb032fe11a0c9524487ec2acc908e66

SHA1
b1fc0560b5715cc0e556f79a4f4b817fc97cde90

SHA256
0cd11d8f104c63c38740d3189a14216cea6b667843358c13d33fbe4cce8db7d5

SHA512
81613abebd8b4ab1fa41d6ebd4d9e8dcfccef7f7e92c894c0587bfdda782ae61b7de22ac80eecea524be827764255385f499c108ff480e6fd8c4eb6a96d05ae7

Download Submit
C:\Users\Admin\AppData\Roaming\350B.300

Filesize
996B

MD5
7d7143dd019a1d23989dcb134afccda7

SHA1
35026ab31e793344d012c6f407b7fd9a1ff7e6c8

SHA256
b1fcbd37178157cc6dcc6c7e2a9254407f58594a74c0a6875f27fc9805636d7e

SHA512
e14303399e5da4088003cfa56fb16e962932a1a951e8ee4806dbb80de081d539cb091592d88b28e101b9a74338526dc9d618a5867400c719b889fe80780f63e6

Download Submit
memory/1848-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-5-0x0000000000334000-0x0000000000359000-memory.dmp

Filesize
148KB

Download
memory/2204-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads