49c722e148730cdae130f7357f2a5b4df613bd1ff455247f0c8bc0798e35548a

General

Target

3a9bf1de21767a68246e95d1796e4491_JaffaCakes118.exe
Size

22KB
MD5

3a9bf1de21767a68246e95d1796e4491
SHA1

34de719c444993f65687a4eeecc8dde7b9f89115
SHA256

49c722e148730cdae130f7357f2a5b4df613bd1ff455247f0c8bc0798e35548a
SHA512

843886af9cd6b0c18de2f090499491faa33966ec7e1185a7a104832598b1747835868d0818a866ad8170da16102fe9c52f1d2f1a9d6e99d79b42aa79f11d2bf6
SSDEEP

384:9b5hBj4gBA6AJWo1IP2QsokMl54K/rv2EUD/Jy8r6:9b5UglAIFeATz/CEI/Ja

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1032	netmon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetMon = "C:\\Windows\\netmon.exe"	3a9bf1de21767a68246e95d1796e4491_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetMon = "C:\\Windows\\netmon.exe"	netmon.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\netmon.exe	netmon.exe
File opened for modification	C:\Windows\netmon.exe	netmon.exe
File opened for modification	C:\Windows\nji2.tmp	netmon.exe
File opened for modification	C:\Windows\msi2.tmp	netmon.exe
File opened for modification	C:\Windows\xjwu2.tmp	netmon.exe
File created	C:\Windows\netmon.exe	3a9bf1de21767a68246e95d1796e4491_JaffaCakes118.exe
File opened for modification	C:\Windows\netmon.exe	3a9bf1de21767a68246e95d1796e4491_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 1032	3452	3a9bf1de21767a68246e95d1796e4491_JaffaCakes118.exe	84
PID 3452 wrote to memory of 1032	3452	3a9bf1de21767a68246e95d1796e4491_JaffaCakes118.exe	84
PID 3452 wrote to memory of 1032	3452	3a9bf1de21767a68246e95d1796e4491_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\3a9bf1de21767a68246e95d1796e4491_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a9bf1de21767a68246e95d1796e4491_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\netmon.exe
  C:\Windows\netmon.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\netmon.exe

Filesize
22KB

MD5
3a9bf1de21767a68246e95d1796e4491

SHA1
34de719c444993f65687a4eeecc8dde7b9f89115

SHA256
49c722e148730cdae130f7357f2a5b4df613bd1ff455247f0c8bc0798e35548a

SHA512
843886af9cd6b0c18de2f090499491faa33966ec7e1185a7a104832598b1747835868d0818a866ad8170da16102fe9c52f1d2f1a9d6e99d79b42aa79f11d2bf6

Download Submit
C:\Windows\xjwu2.tmp

Filesize
313B

MD5
06accebdd3b9880258f650e203ce7d31

SHA1
292c9eedcc6228cc733fee014cdf31c6b9d54941

SHA256
ea66edd359b4a1669d2d9c98ca1edbd480addf5c2fd53597fdfa978c2892d5a3

SHA512
7f5170118322c15631d1ca9af0d1ac91e9a0862c0f0d8a786d6bc8312e713c0494633ed3a07d1b6cf43709aaf549bb0d4e5e0d23b878f2a038b095bd53cac420

Download Submit
C:\Windows\xjwu2.tmp

Filesize
932B

MD5
9da00e276bfb95cd58e27565e7d0f7cb

SHA1
838db405de5400d476421de1076b7b64917936bf

SHA256
2705a673b4a9897f3414e1a88f3d54f142c78945c6ef983657c25208aa4df35e

SHA512
e94755db1d9edf9cfb40a6c1fb1fa0c3d6ade5cdb2e99fbd8c729398b4613879bdc369daa418401e740239b65969adb992812b9c29f73c53ea4c710661006e5e

Download Submit
C:\Windows\xjwu2.tmp

Filesize
1KB

MD5
22f6b67738177f0cf81e4a5c215072b8

SHA1
2c7cb5d09778fd31a9993eaec5951beb2783ac13

SHA256
1226c10fd95fc4121fda9c0767c0f3c4c035b6ab979aad9b8c4585061697cf79

SHA512
bb35818ccbb7b04a35e38210b665350894eca0a26ecd0b08e97403326f1ef88ef7cb415503a1be5739f47b9aa3b4fa19c8d4d35f4060c63737ed03bf8ca23076

Download Submit
C:\Windows\xjwu2.tmp

Filesize
1KB

MD5
161f862dbcf80f3ed6524af492d584c3

SHA1
63a045df098ae3c2d3764128dcf3b200a3177528

SHA256
388bd4488b3b3dfa19e3e4aa54ff80fd66b57e7c529a48c467c27d27d4dd13cd

SHA512
67989c3c473a93b0a346fa456ae463fbbc560cedfc9dfe9bc8f78d64088ae5ba9d91b1ee162291c7573cf496a337cc9cc0fed6abc7d68db53511c258cb018b8f

Download Submit
memory/1032-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1032-10-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1032-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1032-115-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1032-116-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1032-117-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1032-118-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1032-120-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1032-121-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1032-122-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3452-8-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads