4b740923c876de96fe602bfac8f82c1eb20dea4f67606d2541aab54a797d34f2

General

Target

64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe
Size

164KB
MD5

64512d67804969f69ee779cc1c593d1b
SHA1

6ccf691de78fc47dfe09ead8022c14f393f92e16
SHA256

4b740923c876de96fe602bfac8f82c1eb20dea4f67606d2541aab54a797d34f2
SHA512

9596ada94d6a0c59386f44fcfb4f1be272e572a2f75b5c17552d995e360b4ca9f6e0d73d1071962ea0df77d391ee5d9b5ce8990618d59430bb29df01f2250aea
SSDEEP

3072:/mKFB5pMTaO0etKI1rCSo+QDYr994NXyTMR0hwcsItHXD1NU0brU+:/mKFgvKI5Tj9+XiMWwcNt35NrfU

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\9291B\\3B37D.exe"	64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2852-2-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2852-3-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2652-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2852-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2044-132-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2044-133-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2852-135-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2852-247-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2652-249-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2852-311-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2652	2852	64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2652	2852	64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2652	2852	64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2652	2852	64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2044	2852	64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe	32
PID 2852 wrote to memory of 2044	2852	64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe	32
PID 2852 wrote to memory of 2044	2852	64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe	32
PID 2852 wrote to memory of 2044	2852	64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe startC:\Program Files (x86)\LP\7D69\21B.exe%C:\Program Files (x86)\LP\7D69
  2⤵
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\64512d67804969f69ee779cc1c593d1b_JaffaCakes118.exe startC:\Program Files (x86)\1B267\lvvm.exe%C:\Program Files (x86)\1B267
  2⤵
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9291B\B267.291

Filesize
996B

MD5
1b624b96805a1058af4de01f5a361279

SHA1
06d595ddfc5e23702003545c71b8c3cefc277fc5

SHA256
9653667b90e938e3d8ddb7f28cf602890bbc77d24e509bd4a4b7342d38b5a0a0

SHA512
5dc4f13396fea0510580010ad716637c5f2b40decf4554554eb78db5754c04092cfdba38712e3f122e92fe68991f4658722475e358f57f31e716c9e93a675155

Download Submit
C:\Users\Admin\AppData\Roaming\9291B\B267.291

Filesize
1KB

MD5
841acfbe9c58879d5826ed2f62895263

SHA1
faa7970e6d97f83c17e26283cc33ea0089a3c82b

SHA256
8d99e8643f882b27d1f0c0b77fd424377ceba4e032e69dff5e9d95c5a26201b3

SHA512
2ec910c29c9d9df4ccd1dbbe3f8c7ace5460997345f7fb111490781491e917d59a14c71c270b241f34b312c6948a1812be788d7e2fa28d2bc5af58ddeb628e25

Download Submit
C:\Users\Admin\AppData\Roaming\9291B\B267.291

Filesize
600B

MD5
3174e7cea2c674bbd03107a783bd676f

SHA1
b99e1f75926bf0a6569d8b9621b0ed57bfb4a601

SHA256
9ed5e05d3ed5ffb3ec8f7989374ff7b4e62d8d052bdf3de77c82060ae8bb5d84

SHA512
780e04d8f776787103214272a8377d545db39b0b92c005f138eff1f0e143222c21d9ae5b6f628bd425f941c7f9450f7867a024e3fce97b7bceacb27346fe027e

Download Submit
memory/2044-132-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2044-133-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2044-134-0x0000000000337000-0x000000000034B000-memory.dmp

Filesize
80KB

Download
memory/2652-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2652-14-0x00000000005F7000-0x000000000060B000-memory.dmp

Filesize
80KB

Download
memory/2652-249-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2852-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2852-135-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2852-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2852-247-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2852-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2852-311-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads