4b3ae06e546d2358368324739feae929ce36896fcef6c5fb127e871d394fd868

General

Target

407406af427c467021fef138121b239f_JaffaCakes118.exe
Size

160KB
MD5

407406af427c467021fef138121b239f
SHA1

904fe6009bb924bb307c6d8f483bd66784fa68c6
SHA256

4b3ae06e546d2358368324739feae929ce36896fcef6c5fb127e871d394fd868
SHA512

ae88f0a50cef4e17b1abfce910931d4ded831523c7086bb070471bf30874b59fec0a9c28ce62d6d4f5039e0eef665c0ee5c5782540360a847b1f5d4a9b8e2f6e
SSDEEP

3072:mQ5M+z7y60Z9Z0uUczAAF8J0Hv87y8E0QaA6Rubdk0ISjEimQgGnD6/6sOEWih:mQW+CNZ0tcz3cN5FRcjIfimQgydsOQh

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2972-1-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2412-5-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2412-7-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2972-14-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1844-79-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2972-81-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2972-174-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	407406af427c467021fef138121b239f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2412	2972	407406af427c467021fef138121b239f_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2412	2972	407406af427c467021fef138121b239f_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2412	2972	407406af427c467021fef138121b239f_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2412	2972	407406af427c467021fef138121b239f_JaffaCakes118.exe	30
PID 2972 wrote to memory of 1844	2972	407406af427c467021fef138121b239f_JaffaCakes118.exe	32
PID 2972 wrote to memory of 1844	2972	407406af427c467021fef138121b239f_JaffaCakes118.exe	32
PID 2972 wrote to memory of 1844	2972	407406af427c467021fef138121b239f_JaffaCakes118.exe	32
PID 2972 wrote to memory of 1844	2972	407406af427c467021fef138121b239f_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\407406af427c467021fef138121b239f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\407406af427c467021fef138121b239f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\407406af427c467021fef138121b239f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\407406af427c467021fef138121b239f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2412
- C:\Users\Admin\AppData\Local\Temp\407406af427c467021fef138121b239f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\407406af427c467021fef138121b239f_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F7EC.FC7

Filesize
1KB

MD5
977a4561918dd7bfe52c03e0eacd84c3

SHA1
2e7393a17e0f33a8fe75cfb100ca2e74dacc22d6

SHA256
f3e6dab742d5dd1f76a93c06cb055b6b3486251c3e8626d6a13ae0e87d69b884

SHA512
d4a6a2da794f2877fab667d1c84963c8af3439d8c176b7fd260176fcbb34bda6cb535c87e24c339a9d31aa44fa572966e8c4e2cdfc2dc3f852ab4655f35fc958

Download Submit
C:\Users\Admin\AppData\Roaming\F7EC.FC7

Filesize
600B

MD5
dfd37232297402954fbd9be872bfb890

SHA1
2e8fed886f540c0a8a482794b2a960df3c5c3782

SHA256
954e8bc1f7c07be0f41358f77869d33b8d67b65a5abc46548a043ab425fc277e

SHA512
41c9259a8d8e7bf1b65bf94bd0dd476185b03f3752d89781f12fb5ad72935f643e2202b0473fe419750c7cb9ba325a9f9b5bc8f5cf04b81593e88d039f105382

Download Submit
C:\Users\Admin\AppData\Roaming\F7EC.FC7

Filesize
996B

MD5
616262f7f7ed6242414ac79e60b12593

SHA1
f35d49adb934005f7128c8cad65354776e2c9799

SHA256
9d88344f508006098b8ac1df336c7106f18c94f8510271ff913a60d557efbd8b

SHA512
0b3d512119dc282c495b951822accb9779c89ded86b2e3438f754c1512fca63a5d67a4a84d238662eb688506aff314ac6183b9a970bcebd6b6556501843a47a3

Download Submit
memory/1844-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1844-80-0x0000000000514000-0x0000000000536000-memory.dmp

Filesize
136KB

Download
memory/2412-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2412-6-0x0000000000544000-0x0000000000566000-memory.dmp

Filesize
136KB

Download
memory/2412-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-174-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads