64880bd6b8eb658f15fa0c5b07aaa15643f5b89ba3b7005615a046826a8bd2e9

General

Target

6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Size

296KB
MD5

6631b1e738528b27d58be094dc4fe271
SHA1

a0e625253acf317bf3f824015d29ce6a231c083d
SHA256

64880bd6b8eb658f15fa0c5b07aaa15643f5b89ba3b7005615a046826a8bd2e9
SHA512

7a0aed61d9e69963c9f1261261c8a74e1b174390a68b1ab25de446fc5aecb301eef34a760ff86a88f7c3407cb75e80ca7daf9321f569d99e08e1e32ff497d9ff
SSDEEP

6144:/rJIuUB04N3UFFBL9FxkHsmBZ9fafJ1nhe08:/qzVN3OneHseZ45he

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\4012106b	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\ = "Application"	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\open\command\IsolatedCommand = "\"%1\" %*"	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\runas\command\IsolatedCommand = "\"%1\" %*"	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\start\command\IsolatedCommand = "\"%1\" %*"	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\open\command	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\runas	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\start\command	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\start	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\runas\command\ = "\"%1\" %*"	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\start\command\ = "\"%1\" %*"	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\ = "eys"	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\Content Type = "application/x-msdownload"	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\DefaultIcon	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\yah.exe\" -a \"%1\" %*"	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\DefaultIcon\ = "%1"	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\open	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\eys\shell\runas\command	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
2432	6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6631b1e738528b27d58be094dc4fe271_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pohAB10.tmp

Filesize
139B

MD5
e0ad1bb78a513230e2825add1b5fcea8

SHA1
6ece3010abebe75211f11a5cf9417d9335425bb6

SHA256
54e615060ae280dc0b387e3ebb03491b94718e1b59066d80b6536c3d8b7462f9

SHA512
d9788dade885b5b4b794ca257101e3a9ac1cf369b1ead973eefb29f32872aeeae780580e552947342899e560ca03b141f75091d70799a02e21b77807091d5776

Download Submit
memory/2432-69-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2432-71-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-70-0x0000000000A40000-0x0000000000A86000-memory.dmp

Filesize
280KB

Download
memory/2432-73-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-74-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-75-0x0000000000A40000-0x0000000000A86000-memory.dmp

Filesize
280KB

Download
memory/2432-76-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-77-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-78-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-79-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-80-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-81-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-82-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-83-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-84-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-85-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download
memory/2432-86-0x0000000000A40000-0x0000000000A8DA78-memory.dmp

Filesize
310KB

Download

Analysis

Sharing