14810b5d44de87d87ef0cc5ff3d27b89ce67d67d91b85b95124e270472dbff6a

General

Target

59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe
Size

182KB
MD5

59a26f36611a8cd5d55d81e62e77cb27
SHA1

9f28e2374d4f68f4077c634dce69883725e3da95
SHA256

14810b5d44de87d87ef0cc5ff3d27b89ce67d67d91b85b95124e270472dbff6a
SHA512

e457a7e9c5c4b8a0d3f431abe2c75997f2c98758c42cc0c123ffa761b7fcce528788a632887b281b85ac2385e334016aab136b7e072300e5f26a11761210f08a
SSDEEP

3072:jg7Df4l6JrOJtdtOT4q0nmDM5qD5nAICAfxx2YltgDZmPSg4FdiJ2NPI9fh4:jg3G6JyJ1Ot0n7kDxwAfL2stgDLg4eJW

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2340-2-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1352-12-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1352-11-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1352-14-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2340-76-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2572-79-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2572-78-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2340-193-0x0000000000400000-0x000000000048C000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1352	2340	59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe	31
PID 2340 wrote to memory of 1352	2340	59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe	31
PID 2340 wrote to memory of 1352	2340	59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe	31
PID 2340 wrote to memory of 1352	2340	59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2572	2340	59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe	33
PID 2340 wrote to memory of 2572	2340	59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe	33
PID 2340 wrote to memory of 2572	2340	59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe	33
PID 2340 wrote to memory of 2572	2340	59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1352
- C:\Users\Admin\AppData\Local\Temp\59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\59a26f36611a8cd5d55d81e62e77cb27_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\856C.31B

Filesize
1KB

MD5
4cd1649f798a0d692e058e48855be6b0

SHA1
bed91c651c96ffce23309c496f425d78c4c4b363

SHA256
9300b5323ac8cdef9bfa90ed888e3759b8ee413cfacf689587cd5a3b907e91f6

SHA512
03c7625695af501f91d14c53926973678c823e95c575d90b1d6590de2e3170b7d6e34827c1889c30bcb382f29822f95f47bf61799084c7800cea3d731f67d885

Download Submit
C:\Users\Admin\AppData\Roaming\856C.31B

Filesize
600B

MD5
41906deec1bb3fe1dc9798625548a959

SHA1
9334c26328d240dd20f27183841577d211effd82

SHA256
14993ca8c4370003a4187acc49673f5137c7e8311b1630680832c9945e45fb62

SHA512
cb9f43031e78cedaad8520a85bfedb98dccc7d17a5c7a4bf4d1e97dc0cd417556c3419e7e6c147ffd7b8bc2fcbe855ed0bcd4487b406f363cfe7a49998ed3910

Download Submit
C:\Users\Admin\AppData\Roaming\856C.31B

Filesize
996B

MD5
5d75dd34eadf1d505198015f4c636aed

SHA1
cb53be7e87ed867794ba4ab118fed7e6bbc19f12

SHA256
807966f413c2d430bee2fc4921865de4cec96db7cfb45a766956e3f3019fdcde

SHA512
530253e963bb1517519fc9aa69ed3fc2ded2e1d0431eee26e63bd38d141ed0307622882f231c4960313cf37ee1ce349e782fc97630173db04d969935dca2c22c

Download Submit
memory/1352-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1352-11-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1352-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2340-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2340-76-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2340-193-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2572-79-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2572-78-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads