6075ef96eb7b8c6c4c6dcda7111b616780bb147b062769854c2da029d787fa05

General

Target

69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe
Size

270KB
MD5

69f4dfbd548a3086909345a80f8769b5
SHA1

16f5331e1b474f03b7078a6853cf4c728825bbb7
SHA256

6075ef96eb7b8c6c4c6dcda7111b616780bb147b062769854c2da029d787fa05
SHA512

087309aaf4d183eb492d49625535e7e74adf76947fdd0b94073bb4c10854727ab3db9ccca4a4417b3ca64fdcbf7f7f0ef8ba4644a6c7c239fe9a9ba9ae307c27
SSDEEP

6144:dsSQpKS8uLhJfqyKy6+BNViBY4NE+4xqoQT0Lrz:dscuLL++BuVssXsr

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2628-3-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2628-1-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1240-12-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1240-14-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2116-74-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2628-76-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2628-180-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\971.exe = "C:\\Program Files (x86)\\Internet Explorer\\D3A2\\971.exe"	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\D3A2\971.exe	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 1240	2628	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe	31
PID 2628 wrote to memory of 1240	2628	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe	31
PID 2628 wrote to memory of 1240	2628	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe	31
PID 2628 wrote to memory of 1240	2628	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe	31
PID 2628 wrote to memory of 2116	2628	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe	33
PID 2628 wrote to memory of 2116	2628	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe	33
PID 2628 wrote to memory of 2116	2628	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe	33
PID 2628 wrote to memory of 2116	2628	69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\2B1D8\6EED3.exe%C:\Users\Admin\AppData\Roaming\2B1D8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240
- C:\Users\Admin\AppData\Local\Temp\69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\69f4dfbd548a3086909345a80f8769b5_JaffaCakes118.exe startC:\Program Files (x86)\D8549\lvvm.exe%C:\Program Files (x86)\D8549
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2B1D8\8549.B1D

Filesize
1KB

MD5
1ab5257e46a89af9707b32b36eca48f2

SHA1
d80a0b2bebcaa553639e3a72f51e875a609feaa6

SHA256
1f559759f7a5b1acd0b5f2a496110e4a43ae315f08156a9bfc31770e55e1cd5f

SHA512
333a25261714f71530f6ae4cca4ec98ed04732d007942d415e6c552df2314bb54a08d480cabec98323754468664bc63765e00f61ad3ea7d4903e3e5a973b63ce

Download Submit
C:\Users\Admin\AppData\Roaming\2B1D8\8549.B1D

Filesize
600B

MD5
19093ac2ee34f8a1d21bb26eb183b9f8

SHA1
1595a806fdff7937e00093c941c12445a71d8780

SHA256
43e21ba4ea85f4ad5c9c36185c7b496d4bc20771c0af376f1533eedb02451070

SHA512
a1aec3048b078f57a714a60798e0972298ce29648f75576959900b59f6c1eb860a213065e3e56fa3213d322c1ae6d2f21ab0dd2a7b793b12f220e32777a36911

Download Submit
C:\Users\Admin\AppData\Roaming\2B1D8\8549.B1D

Filesize
996B

MD5
8df8fc9ce1df0429dd8b2f3ce41b1163

SHA1
4618f12cb3f0ee1f6df40e3b9a68c70a44c483a2

SHA256
01a64ff6fb2e6c529f45e85695b51a70644b236a25100e11e41cd8748c581881

SHA512
19894a4abca1351238c5bae47c7f6bf94e13de4ddfb55598427c7aab253ccca9423cec7eaff7311fdbc384496342f311a2f95bbee8475c0d13051f9b55704a43

Download Submit
memory/1240-12-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1240-14-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2116-74-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2116-75-0x0000000000608000-0x000000000062D000-memory.dmp

Filesize
148KB

Download
memory/2628-3-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2628-1-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2628-76-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2628-180-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads