96cbbade7c61a7b82ac69319f4a5b8e6ae0d25be77ba06ed7566c23dfe838fda

General

Target

7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe
Size

176KB
MD5

7016a5dd34838886960b207f7038d97c
SHA1

4d125a66cd0c0fc664c907804ad81085bf1b3ca7
SHA256

96cbbade7c61a7b82ac69319f4a5b8e6ae0d25be77ba06ed7566c23dfe838fda
SHA512

e8d18ab758e7f01141726448efae26185d2de754659e330d014eb8addcb48e395b5a920805493b7f902eaedd08ce07e3c349711b0674a4f366d1df9bcbbb5199
SSDEEP

3072:5rdRYWJC5+Ww92ua2qrGz0Dquz8iyzG3+vN6xWZatiSRcXkzTrU:9d7Slw92uarjDq683G3+4WcR+kz

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2560-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2036-18-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2560-80-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/952-81-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2560-193-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2036	2560	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2036	2560	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2036	2560	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2036	2560	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe	30
PID 2560 wrote to memory of 952	2560	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe	32
PID 2560 wrote to memory of 952	2560	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe	32
PID 2560 wrote to memory of 952	2560	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe	32
PID 2560 wrote to memory of 952	2560	7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7016a5dd34838886960b207f7038d97c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7176.169

Filesize
1KB

MD5
5cf82fede5cc1fad80588afdce3650f0

SHA1
bb0ebf954114336bc9e2d130a7e8307e3e5589ac

SHA256
bda383a31c70c021e1b6e500fa2bf1eba1a9570efbd2b83c400c7496eaeb4644

SHA512
37dda5d1f11d3199b84d4aa2888d966e3e96aaa974dadd95a7fef1fd8bad9d57153d05c5c70a3d39659c88696efc1f5dc17b71a0989db2b142ea09fee4e0dfc9

Download Submit
C:\Users\Admin\AppData\Roaming\7176.169

Filesize
897B

MD5
25eafb6ef9802a825667f2897bd42eee

SHA1
2ccc76a6af585ad00417e2dc37332676868982e9

SHA256
1e75f17c2dc26626ef7182cb1cc1c4a1e1eaedbdfc7035ff37e3d845ca0010bb

SHA512
9caf4893da99ddbc09eb9600203f585e9a900d2068654e71dc221cc846197e670cfab3d5e8ac5e78b38873df90aa96e90a48197e43abdbbc20f192c9c746ab27

Download Submit
C:\Users\Admin\AppData\Roaming\7176.169

Filesize
1KB

MD5
1e3fc149ea595c8a645ebd8c9195f09f

SHA1
2123d7f1916bac31d70e970ddf4d6c9193e45114

SHA256
7a39e64b84b5e4c28945c6d669b66dd72b180d185417856693bafba4b445111a

SHA512
1e12a3499c031a9dfaa65e5bf61cfa690a18070f013407d5565ed6b023df86998752597b33c5261c6d3d395d4a7759b7a9b957fa3c4fc94674d0e2ae46b62950

Download Submit
C:\Users\Admin\AppData\Roaming\7176.169

Filesize
597B

MD5
3b66630c09afe205c3a67f026f8b3bae

SHA1
d598379e6b7b08aac3c7702b40f787fa7348da23

SHA256
74f66799db9f2aec789746b33aa104f890ea5bd7749eeb5c3c17a256e418dea3

SHA512
4515ef1db3e047f3b5f5d6ec6a7caaece6f3b8ab6a8929689e29b6653a64ec4e1c50c05f74a4ca8b36411a3488d923ab5621f5f5929689467ef51eb7622d63df

Download Submit
memory/952-82-0x000000000033A000-0x0000000000353000-memory.dmp

Filesize
100KB

Download
memory/952-81-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2036-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2036-17-0x000000000061A000-0x0000000000633000-memory.dmp

Filesize
100KB

Download
memory/2560-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2560-80-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2560-193-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads