c87a33fdf7904a1852c9e89a792e46d85f1e45d9b9825e0cd33aa21f0f2a6afa

General

Target

4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe
Size

165KB
MD5

4d1ed03aa98589771cd225b96e156863
SHA1

0e6de60e36d7bb1a005d7f746898c1bc97dd2f17
SHA256

c87a33fdf7904a1852c9e89a792e46d85f1e45d9b9825e0cd33aa21f0f2a6afa
SHA512

922397a1890a4b26057fa342cfb9097ab3a366e26c196f8a578b8d56ff259fcc77fb7bf4afb651bc03e21f603d325af489852ca7b71e908df967738f37b0d815
SSDEEP

3072:9mdi9yWdWEQeKrBNFrq4wKdo9dCos+vPJf/63ASrIcZAl4fb0PGWrxJ/:N9y8urTJq4DdoDC8nNK8c1bub

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\2D016\\527E3.exe"	4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2672-2-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2672-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2892-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2892-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2672-17-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1572-125-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1572-124-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2672-126-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2672-230-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2672-301-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2892	2672	4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2892	2672	4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2892	2672	4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2892	2672	4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe	30
PID 2672 wrote to memory of 1572	2672	4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe	32
PID 2672 wrote to memory of 1572	2672	4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe	32
PID 2672 wrote to memory of 1572	2672	4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe	32
PID 2672 wrote to memory of 1572	2672	4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe startC:\Program Files (x86)\LP\E3B2\146.exe%C:\Program Files (x86)\LP\E3B2
  2⤵
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\4d1ed03aa98589771cd225b96e156863_JaffaCakes118.exe startC:\Program Files (x86)\16CA3\lvvm.exe%C:\Program Files (x86)\16CA3
  2⤵
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2D016\6CA3.D01

Filesize
996B

MD5
27d73bc05ce00aef502f65858ee22a18

SHA1
14304792977644470494228a7523082c27a515f1

SHA256
8b4acfe379b1e5f2310f09d4d31c260f46b286c64dbbfb3bd61d15d7952ac713

SHA512
2486c4cd45fc35c937722761bc660ff40ba65f3a0abf8e2bff5dd7e863f12ddd379657c3fc158a9b941d9d06da703b067d430f984eeba0884bd144ab2285a88a

Download Submit
C:\Users\Admin\AppData\Roaming\2D016\6CA3.D01

Filesize
600B

MD5
d3288e66ecdccc122ad5ab2fc5bb1015

SHA1
07a89edfd5548e26ed678a1473b5e3914753cf96

SHA256
aa139bcd226e40eff647e9f4b947b9a7f3b28432213917533369f4516a7c8500

SHA512
cfa9c486b230a931da18be4012bf080c3709f431448f89cf9ab5d17c7dfdedb75697397b5676d3243505214f13b30b94620c5d25dd541c649ef6a44beade5d16

Download Submit
C:\Users\Admin\AppData\Roaming\2D016\6CA3.D01

Filesize
1KB

MD5
456a7bb655868a4042aeb5b66b0c9261

SHA1
3b3d27f9022aee1105533cc3533b5a5c922adc13

SHA256
5cf8ba0e772608b204341e7b469dba22c013340d44f972c31764cf25501d1bff

SHA512
198ce9e49a22ba2ec41b5156966b7a1ff424d60e46525805d08f1da82dea7f21aa9a903afca006ff3aa396b1fae2993b2f9a212ed6bcf42677486ab3f685e9f4

Download Submit
memory/1572-124-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1572-125-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2672-126-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2672-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2672-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2672-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2672-230-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2672-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2672-301-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2892-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2892-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads