43d282bc1c75d5191e08c6ffef6a7169a1fff3b9abbd05b6e21fff93cdb0d86d

General

Target

3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe
Size

185KB
MD5

3bbcefa31389862aa36e13e7ba5d662d
SHA1

a4dce14fcfe23b6a78f2bd3a89af889ce74a2b6f
SHA256

43d282bc1c75d5191e08c6ffef6a7169a1fff3b9abbd05b6e21fff93cdb0d86d
SHA512

fcb4639283211c7d55db977ca037a86103a0f7b125cad2fa43579644e72d916249f4e2d384880af7ded04f814e84e2ac21910dba115972bb73c8ad5d489a110b
SSDEEP

3072:G8AkSbDZfP1C+q1MXWWgwuEHxLDHP14DGM8nM2MbbwAYQdQY1xVvCBcxx7K:G8/MZfPPmWhH9iDnYKbYiX1XNxx7

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2584-2-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2856-11-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2696-78-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2584-75-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2856-144-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2584-183-0x0000000000400000-0x000000000048C000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2856	2584	3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2856	2584	3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2856	2584	3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2856	2584	3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2696	2584	3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe	32
PID 2584 wrote to memory of 2696	2584	3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe	32
PID 2584 wrote to memory of 2696	2584	3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe	32
PID 2584 wrote to memory of 2696	2584	3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3bbcefa31389862aa36e13e7ba5d662d_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\583D.9D4

Filesize
600B

MD5
8cec18e806b63e8d9e415a448e5a65d3

SHA1
070ccd0beef38c7741120165d29bc6f20caf50e0

SHA256
c2070b597990c41b883b6cfc51046c65cf33c53f49df268d34f07880eed92773

SHA512
3ac09bfe08a9968e0d4b6fbed0711022c5947abc84a2ed477f6711fb538bcd041c0bc7133c5a140f8dae65087f239f94b3f911848a56f31b21d671c69c8a7a0c

Download Submit
C:\Users\Admin\AppData\Roaming\583D.9D4

Filesize
1KB

MD5
a9ac67f0ff26a19b35102ec4f7ad6793

SHA1
b4487aedd4f9a94301feff247b972c75e45260c0

SHA256
6b166d7cf4b238067f0a258e8b2ee0bc9b7ad8b81dab17648d247459ea26c7e5

SHA512
6abd83a1bba9d969e4189e254ec0798ea9f9d9d56229eae54b1da268b249d351ab19b99aa808b5d793d1730cfddc9c6055e32e3ecc2b05d9210779d9952e6d49

Download Submit
C:\Users\Admin\AppData\Roaming\583D.9D4

Filesize
996B

MD5
7bbc7934606901bd57ded4f58d84dac8

SHA1
4e7b5db42282ef31b3a7f0d49447818419ed5f2b

SHA256
50bd51bb982aad235268b8a2cb752c2aaa260701640e48229aa98159fdfde0fa

SHA512
c73f82f591f68468c807d88a735366a34b7fec4b9e1d5671e95acd6732c42c0693e507d3f8de4e69c29697ad4ddfee562c154e4c0230d0c2be8d63298346c379

Download Submit
memory/2584-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2584-75-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2584-183-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2696-78-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2696-77-0x0000000000278000-0x0000000000294000-memory.dmp

Filesize
112KB

Download
memory/2856-11-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2856-144-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads