729d4c268688ff61cf11bf34eeb2f9699dbd0fa7c08b862396847670137e9cfa

General

Target

61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe
Size

1.6MB
MD5

61ba4e864e63cebea72e0baaf9726eb3
SHA1

2f3306243d12e31f74899bdf1ac8ceacda564d0c
SHA256

729d4c268688ff61cf11bf34eeb2f9699dbd0fa7c08b862396847670137e9cfa
SHA512

a6e5d003596048e665fb08d1254f93d7e5a57fa125303c3659ffb9da2bc56eab601f9e870fdd9e7be620ca70e6f0768be7f5ca5c068f4acc55b252f1a2eccfcc
SSDEEP

49152:01fN5CJGwqES1PJ0mVHYle7gztOraETL9r7:0/UJZ0r7WMay

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2876	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2388	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe
2388	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe
968	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe
968	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
968	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	968	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
968	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe
968	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 968	2388	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe	30
PID 2388 wrote to memory of 968	2388	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe	30
PID 2388 wrote to memory of 968	2388	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe	30
PID 2388 wrote to memory of 968	2388	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe	30
PID 2388 wrote to memory of 968	2388	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe	30
PID 2388 wrote to memory of 968	2388	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe	30
PID 2388 wrote to memory of 968	2388	61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\61ba4e864e63cebea72e0baaf9726eb3_JaffaCakes118.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_1632211760"
  2⤵
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:968
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
d4441d1a5510adac1dd8d20cae473617

SHA1
291dec696b8d5d9adb69928c313b09d57f556436

SHA256
ecd92e081422702d5fe1ddc9c91fe2ec97d92eabad89aed425a9042734be1fd4

SHA512
f0778fe635353db16bd0f07334d3554a218032d01cce9240292610807ca766a7b2ea2bfc9e2149ad1e5b36bab951af76fcee779200cf354b54627059d77f7d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_1632211760\autorun.txt

Filesize
123B

MD5
5c2edd9afb67e8ca5747c0bb306ec33a

SHA1
c20d65ba954ea9a4927c7b5f9df4248bed0cc23e

SHA256
438c211cc16fa4ab56fcbc9dcaae4b60d14faba980fc48072b14920edb7fb264

SHA512
9e22e4001fec7bd96c20e2a4af3fbee46fbd45ded44c7b2eb19e986952a82e449cb931f1239f82e54abf85654721ecbcfb56bd8d0f6fbcaa6eef933c35d80d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_1632211760\wrapper.xml

Filesize
1KB

MD5
3db83f039ef0c6d0f9a2db8e02ab744a

SHA1
f0ef7f3666933e3d46f2467f7a48722078de6615

SHA256
9a7e0e42263fce0d4521921818a757ff2ca485d16052e8e3287bc281a323daf6

SHA512
ba9b807533475d4629b6c798e1fb5ea6a385e26885023461c0167a7effd1878875be5a5c3206c1d04e06c45a929eb841d2bb53663628874b2f030cb2ae0155f1

Download Submit

Analysis

Sharing