e0c7d9266704b8c025a245954c2461e3bece5f135ddc7e720262ca75093b3bff

General

Target

713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe
Size

160KB
MD5

713a30034cb5e0e02e5c31b6518c35b5
SHA1

31c678958e11abc832622206b11638592398ba06
SHA256

e0c7d9266704b8c025a245954c2461e3bece5f135ddc7e720262ca75093b3bff
SHA512

8feb5952656f24c32870eb4da240f86452e036393aade341f77704c4cb129c22006f72fbdfde79fa3c1bc1acc704956745753519b97acf3a69870fba8f40c2e4
SSDEEP

3072:mQ5M+z7y60Z9Z0uUczAAF8J0Hv87y8E0QaA6Rubdk0ISjEimQgGnD6/6sOEWih:mQW+CNZ0tcz3cN5FRcjIfimQgydsOQh

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-2-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2372-4-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2372-5-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2372-7-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2112-14-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1476-75-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2112-77-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2112-164-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2372	2112	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe	29
PID 2112 wrote to memory of 2372	2112	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe	29
PID 2112 wrote to memory of 2372	2112	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe	29
PID 2112 wrote to memory of 2372	2112	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe	29
PID 2112 wrote to memory of 1476	2112	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe	31
PID 2112 wrote to memory of 1476	2112	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe	31
PID 2112 wrote to memory of 1476	2112	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe	31
PID 2112 wrote to memory of 1476	2112	713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\713a30034cb5e0e02e5c31b6518c35b5_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9868.313

Filesize
1KB

MD5
c5c3ed56423a6d36db3512aa6b7aecfb

SHA1
c65084bb06fb69d8c88a5a190fd4f9b1f28dc1ab

SHA256
bc50976133150f3ceb1aa635476dc1a85366afbf937527fc625dd44674d58d81

SHA512
bef0b0b45db0366ab317bb2a418fe4fa216fac050a2ba55579c0922e18191fac6edffdd724930df80c5311c9b6076474c0d7729f97646bc24fe37610fe440272

Download Submit
C:\Users\Admin\AppData\Roaming\9868.313

Filesize
600B

MD5
e1d3428135d863c526820c7e3d506109

SHA1
f6269dacb2e7819de38b175ead9c851d398ce258

SHA256
dc3c67dd33857af85688b8a073ddf22cede209e8f5bab6caf5ca2d79ad2a6a6f

SHA512
3acae232d1371b9220e250c96dccbb71f8e8aaf17fff40415378ff7802fa53fb05d377c129c914a58499566fb7b0608fee25d241752f927cddc91cfe13a991c8

Download Submit
C:\Users\Admin\AppData\Roaming\9868.313

Filesize
996B

MD5
4ce6f6e2c72dfd2af7889518dfa4fa8e

SHA1
796ede545103ec726b5b8cef6ce3d225ce1bddec

SHA256
9fbc25cb5d8123c18f1ae210a320944cc2ae49b5fad05385647a0c8f9269a346

SHA512
88055f14b44492d436d652487db058d7a2a2cd43d17234bd7d49936910fafba3e52c74747fe52b26eee9522208ff369d02d070c18830fd4bb542e15ad94fabd0

Download Submit
memory/1476-75-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1476-76-0x0000000000604000-0x0000000000626000-memory.dmp

Filesize
136KB

Download
memory/2112-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-164-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads