f54d6c25d170a5ea3af6bc70f0565f349d35b9ef0d1b1f28b826ea3fb05c5ea3

General

Target

59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe
Size

888KB
MD5

59b76d02fe8a1b203214a9ccd414df87
SHA1

0ee62ca868fd6cc5d013c027bd30f98b7a05e054
SHA256

f54d6c25d170a5ea3af6bc70f0565f349d35b9ef0d1b1f28b826ea3fb05c5ea3
SHA512

cf1ff96692999f1e0ba9ddfad4ba29ffc8c3ec3d549b534913b4512b70f2b1259b60bddc83f99cba63142beabe534b0f5bc3127a97e72f3cc77573c09467a84b
SSDEEP

24576:WwIxB2m6kgFlqx1/jI75Wc5BYWmQIx0SYOXcttL:WwCB21FUxyv0x0SKtJ

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2548	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe
2548	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	checkip.dyndns.org

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\DXM.REG	cmd.exe
File opened for modification	C:\Windows\DXM.reg	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2820	regedit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2384	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe
2548	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe
2548	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe
2548	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2548	2384	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2548	2384	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2548	2384	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2548	2384	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe	30
PID 2548 wrote to memory of 3052	2548	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe	31
PID 2548 wrote to memory of 3052	2548	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe	31
PID 2548 wrote to memory of 3052	2548	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe	31
PID 2548 wrote to memory of 3052	2548	59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2820	3052	cmd.exe	33
PID 3052 wrote to memory of 2820	3052	cmd.exe	33
PID 3052 wrote to memory of 2820	3052	cmd.exe	33
PID 3052 wrote to memory of 2820	3052	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Roaming\Sysutils_Update\59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Roaming\Sysutils_Update\59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\Sysutils_Update\lahvwahvbavwav.bat" "
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\DXM.reg
      4⤵
      Runs .reg file with regedit
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sysutils_Update\lahvwahvbavwav.bat

Filesize
410B

MD5
34aa5ef73b11bd509639b52cd6749302

SHA1
190eb110d50c34345411e60cbfb05beb69432928

SHA256
79753e0d0f300beb999f83d76b7dbec58ded4b1c470cf4777cda1856c10d6595

SHA512
15fceafb6848ca54e59a1b7433f5f6df1933a02b3df940df47c6d981d1029f8af3df9eed1d846d954ac6efbe2166a91e72be6dced3a20e1146ca6f5987e1d5bf

Download Submit
C:\Windows\DXM.REG

Filesize
229B

MD5
71ffad4df24e8ec99306a969b4a5fba3

SHA1
288f86a641e9497144070aa8139a97aac2b1c45f

SHA256
ad0e8e7eccc8cca18156391eb0903ba61cfbf88a9633d563c026b8a85517d5bf

SHA512
17e3892e5ac5a8c484da25e86abc75129d2bf9c4d34119c2f2f3c4ea817666027918f68199bad57308e4bbada5770abb079b007ed0846cb61f5c68022dd8b72d

Download Submit
\Users\Admin\AppData\Roaming\Sysutils_Update\59b76d02fe8a1b203214a9ccd414df87_JaffaCakes118.exe

Filesize
888KB

MD5
59b76d02fe8a1b203214a9ccd414df87

SHA1
0ee62ca868fd6cc5d013c027bd30f98b7a05e054

SHA256
f54d6c25d170a5ea3af6bc70f0565f349d35b9ef0d1b1f28b826ea3fb05c5ea3

SHA512
cf1ff96692999f1e0ba9ddfad4ba29ffc8c3ec3d549b534913b4512b70f2b1259b60bddc83f99cba63142beabe534b0f5bc3127a97e72f3cc77573c09467a84b

Download Submit
memory/2384-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2384-9-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2548-7-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2548-27-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download

Analysis

Sharing