8aca7bb5bc16c34da62cfc60df950d530522ca0a8880e17fafba00bfc1ca462b

General

Target

3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe
Size

183KB
MD5

3e04a7002744fe584511b2055972cdf3
SHA1

6bd417fd806bb9d52f7071e984dc19dcbcf2a4b4
SHA256

8aca7bb5bc16c34da62cfc60df950d530522ca0a8880e17fafba00bfc1ca462b
SHA512

4d5fcc96bc6dfd1e63153755372d5e86e4e8cb1444e52d664818a9204299f2497d79b7b80ad218567f4b67d94fd6e4f931396710eb57bac6e5e36e34d17cc5a9
SSDEEP

3072:ej/j2UdMHc/hgLsmxs9NlSpQT1ljph1VdFC7DM/0Xuqg3RlIF5Xd5:ej/j52GV2a5hO7k0Xxg3f+

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2388-2-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3064-6-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2388-18-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2684-90-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2388-92-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2388-195-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3064	2388	3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe	30
PID 2388 wrote to memory of 3064	2388	3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe	30
PID 2388 wrote to memory of 3064	2388	3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe	30
PID 2388 wrote to memory of 3064	2388	3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2684	2388	3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe	33
PID 2388 wrote to memory of 2684	2388	3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe	33
PID 2388 wrote to memory of 2684	2388	3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe	33
PID 2388 wrote to memory of 2684	2388	3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3e04a7002744fe584511b2055972cdf3_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0AE5.696

Filesize
897B

MD5
6a728b9ba9bce8bc4aa767f00156897f

SHA1
3c76dadc6c72da8949b559b3426470f4f607fcad

SHA256
74f7b838bc01734f01f73b1f6501777920ffc59957aab955d16d41b45aeafd40

SHA512
c62569bef79ba6e5575ea977ae85b34216f530d4f85b4938314e1adcbee61c2bf42fff21f6d56488d7e805560612d634f7ee1e7b248b15776f3049c3762fbe5a

Download Submit
C:\Users\Admin\AppData\Roaming\0AE5.696

Filesize
1KB

MD5
4a90f5cfe6f83fbe464468500c5dc7d1

SHA1
92bebc96359bc375351b5048f01a472c0a13980f

SHA256
962de9b913991b5b3be2d0952ee4aa23baa0672be2dd9ba7f7505e262d9fb1e1

SHA512
6e68e5023338dfbeb741a5d1bbdf57df6cd435d83969522efca6f8ecb8416bf9601d9b2627ed561fc345e37ec810e8094a051fb735e12861c4bd91cc46d90d31

Download Submit
C:\Users\Admin\AppData\Roaming\0AE5.696

Filesize
1KB

MD5
d61ddda73cad1281b611491fcd69f578

SHA1
c303ed4f1ddc55c7b886027cd110da8ecbd5e5f4

SHA256
bf90ea5d49ed7d9057803338df10c4a2d7c3640576c5b7ee653610cbc7a7a3c7

SHA512
c456f683cb362b61089e703d7e1161591280154d5ffabd8978eb039e40ea681d215696f307ae3bd9c1eddae0cb3efb1ea43af557ee545f577e553950e1248817

Download Submit
memory/2388-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-195-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-91-0x0000000000636000-0x000000000065E000-memory.dmp

Filesize
160KB

Download
memory/3064-6-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads