e064ca1075f4b2861fcc65313b8fb37bf62435097ebd2cc2d654dae23245224c

General

Target

42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe
Size

194KB
MD5

42cf356e8b757fed71f7747118655d2c
SHA1

d85cab75a7e12f7e1cf59503b954a7608531011c
SHA256

e064ca1075f4b2861fcc65313b8fb37bf62435097ebd2cc2d654dae23245224c
SHA512

eaac5602069d88d297c6a217dbe10629037daa27445be55e790274fd19dcc0ef7fd1cbf0b260ef65386cc311bbb596cc6a33bd73bc7e0628c5d61f417902a6fc
SSDEEP

6144:BjcsqnZvGULew8v6m9HKOos+h4+nTSjbxIAZ/M:SfAk8x9Fos6nmn7NM

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1908-1-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1908-3-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2820-13-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1908-14-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1480-74-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1480-76-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1908-77-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1908-181-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2820	1908	42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2820	1908	42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2820	1908	42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2820	1908	42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe	31
PID 1908 wrote to memory of 1480	1908	42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe	33
PID 1908 wrote to memory of 1480	1908	42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe	33
PID 1908 wrote to memory of 1480	1908	42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe	33
PID 1908 wrote to memory of 1480	1908	42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\42cf356e8b757fed71f7747118655d2c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\796E.6C8

Filesize
1KB

MD5
74199d9813732a6401be79e23e66afb1

SHA1
bd09ddc50276743a7ef2b164ae453ee2be119dae

SHA256
00ebbfc972e4efa1adbfd85127df963ec653d62a41756ee950814708d98336be

SHA512
f5fb3c8b7198b64356b14566aa6a48aabe3dde654e57fe10fc6898c80aedf9f6ca4b98746c8111deb6a7f29219fb36ff73f0ceb2dc1cb89bfb96b8718dfbc7ec

Download Submit
C:\Users\Admin\AppData\Roaming\796E.6C8

Filesize
600B

MD5
013dbdfe426d4e2fa7060d1eb2924092

SHA1
9a90760b412c29b6f3b1d14d49ddd82e331fe4f5

SHA256
d8f060b6f4d2ed3b13b2def4ce6598f02715ec0bd67fe873249e853e644dc336

SHA512
f7fbcc9e8bef683dc032e693cb314e0fa793c50f17f7f5a606deb8e72b3ac79ac1430ceeffb87796b20c04d8474030c27f0704938a8d45be424728371c09ea65

Download Submit
C:\Users\Admin\AppData\Roaming\796E.6C8

Filesize
996B

MD5
f2db317063e283bac182b79e8ae09298

SHA1
65b139b225f155b94dd9cb4502319a930fad5d60

SHA256
7d88454f39a97e0dfc019ad6b0844fb102f7c70198418511e159d3d44e299b23

SHA512
8012c879844592a47cfb297da7c5b5c47126817bffed466b2a6be9576decfa5b16fd22087ec8894874a4badad89353effeb8b96b38e26cb364f8861feb160195

Download Submit
memory/1480-74-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1480-76-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1908-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1908-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1908-14-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1908-77-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1908-181-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2820-13-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads