11023b554d894e01555b176f6304450c68c1ffa4969739c6414a9de46e328fbd

General

Target

39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe
Size

186KB
MD5

39704b54cbb66e29e4ce55509d2dfb31
SHA1

cb9e4af86832a64d573e0e27249111eaa1171354
SHA256

11023b554d894e01555b176f6304450c68c1ffa4969739c6414a9de46e328fbd
SHA512

05ba1833f65ef36988fc853f967d3881af5c5939c48ea2c6918ab3448360ba7dca72ed5b7585659d860b946329865f38f9ea3c661bd1977fe360e99ce1119f09
SSDEEP

3072:HaK67zlkbHyoY/JxjDcX64V59axbMoOk/ZS5zdUi0lEAJhs3rnKX1xtm:HaKTbS3TncKwsBh/Z4dUi0lEAJhs3rKd

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2640-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2640-1-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2080-9-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2208-84-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2640-85-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2640-160-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2080	2640	39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2080	2640	39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2080	2640	39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2080	2640	39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2208	2640	39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2208	2640	39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2208	2640	39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2208	2640	39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\39704b54cbb66e29e4ce55509d2dfb31_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A2FE.D3F

Filesize
1KB

MD5
32dcd476e6afe7c6f33cbb8f44d8e002

SHA1
346489413eabef866a3307593ceba7bf75204b9c

SHA256
c80ce657072e6ed218acc780e5625c01dd304a702fe7d4f0668c1c132cf110e0

SHA512
b6831ad8e339035b3e91f54124328919d2159a4bc210ca0b804fa39e815a532f49dd15d0f8d39f4c4ff5417a770fae7627012d820625583c7f9a9b8f8a17a4be

Download Submit
C:\Users\Admin\AppData\Roaming\A2FE.D3F

Filesize
600B

MD5
91a90edfa1696c0ab055c0e2af325f32

SHA1
59a144cf29aa93927894cce1614a83ba37e143bd

SHA256
953b5e7b189df00a0f02950d251c04efd092250c6d5535be9d916b2b88b66eea

SHA512
24bcfd1b2708863563ed5955bee996bb7ee316ad35f1099b055224051a0a21ec32d507a642b87872482d8556e18600321c301dafbd6f6e5e569eb7baa0c21d05

Download Submit
C:\Users\Admin\AppData\Roaming\A2FE.D3F

Filesize
996B

MD5
2330221fb888729c3f4bc051f55ca8e5

SHA1
fd14c0f38a173d6ffe80534d2052a0448d1cc7a8

SHA256
9b541687a208f6383c3754197f0b4c39e7a6d99e364991ea0d123d980fb9d408

SHA512
661e334bd8b2ff1141c864cc22f935315c1c95765bc0f6e592ec2abecc9b7442253191cfb0831563f1c498d70581d2a3a7550be2321acb71703d5b98119d89cd

Download Submit
memory/2080-10-0x00000000002D5000-0x00000000002F3000-memory.dmp

Filesize
120KB

Download
memory/2080-9-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2208-84-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2208-86-0x0000000000525000-0x0000000000543000-memory.dmp

Filesize
120KB

Download
memory/2640-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2640-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2640-85-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2640-160-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads