14fe806c711ec815199b4660c27c5f13d7f158f9d6618f93fa9093bfab774bd2

General

Target

6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe
Size

381KB
MD5

6429f3042a9be5321cf63dfa78be7342
SHA1

cbd3d1df274f2b958bd99c9007975c87e6587020
SHA256

14fe806c711ec815199b4660c27c5f13d7f158f9d6618f93fa9093bfab774bd2
SHA512

98056b3f4ff0bd30987172a897d12ffaf09d6dc8f915a99655cec3996461732d970b160945b7c092fdb8afee6eb79538b5761306883e458938a37bb0ef7a419c
SSDEEP

6144:+BJ5N2PbXisPHGT06wq4JD5BhzD7XuMTPg5EBZHEd0Ev7EM4thGAjaJf76X0rp:+BJ7guoHGo5bBhz/uaYKBp0L7EM4OAWf

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000234f9-6.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2740	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4196-0-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/files/0x00080000000234f9-6.dat	upx
behavioral2/memory/2740-8-0x0000000010000000-0x0000000010086000-memory.dmp	upx
behavioral2/memory/4196-9-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/2740-11-0x0000000010000000-0x0000000010086000-memory.dmp	upx
behavioral2/memory/2740-13-0x0000000010000000-0x0000000010086000-memory.dmp	upx
behavioral2/memory/2740-23-0x0000000010000000-0x0000000010086000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msirbg32.dll,CjtYgtoFpm"	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msirbg32.dll	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msirbg32.dll	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3196	4196	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4196	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe
4196	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe
4196	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe
4196	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe
4196	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe
4196	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe
4196	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe
4196	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 2740	4196	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe	87
PID 4196 wrote to memory of 2740	4196	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe	87
PID 4196 wrote to memory of 2740	4196	6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6429f3042a9be5321cf63dfa78be7342_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe msirbg32.dll,CjtYgtoFpm
  2⤵
  - Loads dropped DLL
  PID:2740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 720
  2⤵
  - Program crash
  PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4196 -ip 4196
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msirbg32.dll

Filesize
171KB

MD5
458c1ef50a524035b86a7584c4342ca9

SHA1
0c89770b07906e3cc0df97c1c709da957b58446d

SHA256
87a10aa72229f3c1fc81cf6aed53831ec87266b3e0b90d28bc0ef804487a41f2

SHA512
5562e7f6b6f3cf8ebfe32bd48f05f2eee3886411ab7da70e31adeed20fc5534b9f2489ab0afcb61d1cf778fcee1525deb245fa53cc3074ad3e73da79ddc59d1d

Download Submit
memory/2740-8-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/2740-11-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/2740-13-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/2740-23-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/4196-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4196-1-0x0000000000A60000-0x0000000000ABA000-memory.dmp

Filesize
360KB

Download
memory/4196-2-0x0000000002970000-0x00000000029F6000-memory.dmp

Filesize
536KB

Download
memory/4196-3-0x0000000002970000-0x00000000029F6000-memory.dmp

Filesize
536KB

Download
memory/4196-5-0x0000000002970000-0x00000000029F6000-memory.dmp

Filesize
536KB

Download
memory/4196-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4196-10-0x0000000000A60000-0x0000000000ABA000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads