e6055d33b683f98ce3a40be5fe1465a2e225d107e8347bc94614fee10f8db208

General

Target

688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe
Size

172KB
MD5

688051f1af6a88e9cf8b371d62e9baa8
SHA1

213c61d9e9a6f8e270a0db4b66f996cfe570bb4a
SHA256

e6055d33b683f98ce3a40be5fe1465a2e225d107e8347bc94614fee10f8db208
SHA512

6f6c21b98d80af6c0e7e741b2beb7cf7fd5715336c61d8eecf6254e62a035ef3326b3a62febc1b88969c78cdc39b312db8e645719af64b87a53f2cde743febd8
SSDEEP

3072:VCF6f1P8S92LGWuko2kr+1GA20i2tU/z6qJP2Pqb6ot5PLLtK9jpduIvR:VCF6+tCJkop+0A/kBPiq5t5PLRK97bR

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3024-1-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1036-4-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3024-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2600-69-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2600-71-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3024-72-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3024-165-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3024-204-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1036	3024	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe	31
PID 3024 wrote to memory of 1036	3024	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe	31
PID 3024 wrote to memory of 1036	3024	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe	31
PID 3024 wrote to memory of 1036	3024	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2600	3024	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe	33
PID 3024 wrote to memory of 2600	3024	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe	33
PID 3024 wrote to memory of 2600	3024	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe	33
PID 3024 wrote to memory of 2600	3024	688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\688051f1af6a88e9cf8b371d62e9baa8_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\14BA.44F

Filesize
1KB

MD5
eb51bdce240d7d66be9fe89bb5196785

SHA1
48c99571359d116017b5fee1aa498685bd15542a

SHA256
382861e5eab2110d7916dff595d057bef870350e478d9d9e78226e3099ed7c1a

SHA512
b639a87e86396685bfde1714d17caded58462360e074b439e749623ea6fe668671442ef4898aebcea692196962dae9afb15085c5147d6d0bb3546895277ecb89

Download Submit
C:\Users\Admin\AppData\Roaming\14BA.44F

Filesize
600B

MD5
8825953a8746aa6ca1fc79bc98cfe85c

SHA1
570ae95f4c8c72b26e9838c7cd62ee520c67ab23

SHA256
1bf779b15742e766a3bcaecbb056ff3332367d77afc85f2b9a564c32699479c6

SHA512
3a44a67f7a4970541d125819bc1b85ca8eb2a4e22a75a3f1e8bc7fddb9d182afc126477d9bfa733031e4f62a6fbc60d4220f4c0b1a6e104bd65457bdd0b68042

Download Submit
C:\Users\Admin\AppData\Roaming\14BA.44F

Filesize
996B

MD5
5a4ab2160505b96ab33ebf39324150a0

SHA1
284420c7928cbfeb9e79c0420c961fb857588ed7

SHA256
cf3d27a42ead5577615211428cfaf15e6a30710e838db2a4011b8ab32cee45d5

SHA512
28dddebd74496348d3ba1b43da85163285b4d3bbee6ba74f9dd04fb6606c7319c797d274199ca430ffe1a542353d825051b5e9227b720bd9d33064dcda29f6e7

Download Submit
memory/1036-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1036-5-0x00000000005E5000-0x000000000060C000-memory.dmp

Filesize
156KB

Download
memory/2600-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads