2ddc92cc96ea02e999b5faa1569298929fd4e3b03ce0b05e80d6c14f28a689a9

General

Target

65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe
Size

175KB
MD5

65675cb4be666d32e4c3acc463a01ca9
SHA1

7569ad61222cf801a4eb1e72db6bdddbb39dd2a8
SHA256

2ddc92cc96ea02e999b5faa1569298929fd4e3b03ce0b05e80d6c14f28a689a9
SHA512

f05951fc19c4dc585e92c02d8e73304378c214d95bcb071c2f80924792818803044dbf510e73a2fb61ff3760eb28af2e38e41a62202d395057266a74fcf97ada
SSDEEP

3072:w6aWdDY8qONKMY0llXF+mLRBFHPZV4i1J0fbyBvEVwOzAfN8kEfnkJB5S0w:w6awDY8qOBllVHLRBFvtkXeO+o6u

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2296-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1724-13-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1724-11-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2516-77-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2296-79-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2296-178-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1724	2296	65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe	28
PID 2296 wrote to memory of 1724	2296	65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe	28
PID 2296 wrote to memory of 1724	2296	65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe	28
PID 2296 wrote to memory of 1724	2296	65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe	28
PID 2296 wrote to memory of 2516	2296	65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe	30
PID 2296 wrote to memory of 2516	2296	65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe	30
PID 2296 wrote to memory of 2516	2296	65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe	30
PID 2296 wrote to memory of 2516	2296	65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\65675cb4be666d32e4c3acc463a01ca9_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\54F3.657

Filesize
600B

MD5
aebec0014f138ac2778b5f50abec86a9

SHA1
2f0dc33fac5a395c2a1701ee52907208b1b0232d

SHA256
c2124d665741f656bd47ffdd1de0409b53b3eb484be2aae1a0cb64808c195c3b

SHA512
f35eb015c52ba9b79d9730235aecc3137ec468d45e0b81938b80a2d7a15da3f4a356ea09e9ccc7fe36778031542e8fe9eb73bea8283710122cad842839961634

Download Submit
C:\Users\Admin\AppData\Roaming\54F3.657

Filesize
1KB

MD5
2f6b188ac496a4dd65a88d4ec825e1c4

SHA1
615805000f65c726cb0fd74a1f29e25522463062

SHA256
e3e5c5e15beabc3bab421e681033b155e987b4e5d01ceb388e608a34ccfae3b0

SHA512
c4051ca6d36939150eed115eb866984d3d3428a902881e18b504946cbb3f3a310e677ba01500a78282a9724cd7d0a1f22898f5f597a38a46651f954eb92bafe2

Download Submit
C:\Users\Admin\AppData\Roaming\54F3.657

Filesize
996B

MD5
278663ccbfff120dcdca4d92cbfd4b2b

SHA1
79f8c165d9661185b2affd3f5cefcca8f4e4156d

SHA256
875fd9d7633262941835d1aabbafd9a836e0f2167b2412c6e2f2a6284178ea14

SHA512
b04559bffd585f086dee0f32cfb5e661f41edab6dd73acbf5f7d82c720aae39b23e373dccdffbdb2571032c06652f66fa562855b8b2a9482b7afd378845c0a7c

Download Submit
memory/1724-12-0x0000000000915000-0x000000000092F000-memory.dmp

Filesize
104KB

Download
memory/1724-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1724-11-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1724-145-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2296-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2296-79-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2296-178-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2516-77-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2516-78-0x00000000005C5000-0x00000000005DF000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads