dd35f274257b9910056f4e81a8c6dfab0eedefd5a7359bffd7461811184e8179

General

Target

717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe
Size

2.0MB
MD5

717e6a0e38344eeb863b7b56a4751011
SHA1

b156929d27c48100140a7e62fc36e59688bff470
SHA256

dd35f274257b9910056f4e81a8c6dfab0eedefd5a7359bffd7461811184e8179
SHA512

3ea5128927aa03670e998809c8b2560cd8b2442a4193fa6c5d99b7e6b8b82dfafa62d1cd592c9b8fd301904fc9c1e7201b544627a3592a032bb7be909f064e3f
SSDEEP

49152:bL9FfVTCN8xT7CWFQ+jTkRlzaXdw5dCAlScSqKXs/ei:bLTVZ7CWF/jiawdZMfs/

Score

7^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2520	svchost.exe
2948	MrHackTV Modern Warfare 3 Trainer.exe

Loads dropped DLL 2 IoCs

pid	Process
3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe
2520	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 2520	3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MrHackTV Modern Warfare 3 Trainer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2520	3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2520	3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2520	3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2520	3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2520	3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2520	3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2520	3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2520	3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2520	3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2520	3048	717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe	31
PID 2520 wrote to memory of 2948	2520	svchost.exe	32
PID 2520 wrote to memory of 2948	2520	svchost.exe	32
PID 2520 wrote to memory of 2948	2520	svchost.exe	32
PID 2520 wrote to memory of 2948	2520	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\717e6a0e38344eeb863b7b56a4751011_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Roaming\MrHackTV Modern Warfare 3 Trainer.exe
    "C:\Users\Admin\AppData\Roaming\MrHackTV Modern Warfare 3 Trainer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MrHackTV Modern Warfare 3 Trainer.exe

Filesize
2.8MB

MD5
a2cfbb6e7eed9f3c095b4bfbd2eca257

SHA1
24700c88ad39bd3e99895f44c7b57bd8be3c48bc

SHA256
893b87d037fd985cbed8ce76a41a35c6467e1d2300f86a71c48bbc62d611e8e0

SHA512
2dba658ba2ec2b61ccce5c54e4f42ecd20c265fd534a668d92c9cf49d8e001eca7f4ab53da80a33e449215306051b5b1db41ee47544f47c5f7cd58033cdf2831

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/2520-9-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-15-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2520-8-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-18-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-20-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-11-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-10-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-30-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2520-12-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2948-27-0x0000000000400000-0x00000000006EB000-memory.dmp

Filesize
2.9MB

Download
memory/2948-32-0x0000000000400000-0x00000000006EB000-memory.dmp

Filesize
2.9MB

Download
memory/3048-2-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-21-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-1-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-0-0x0000000074BB1000-0x0000000074BB2000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing