ef6860d992093497d74c885b7c17e390c637df00346c2420d457500fd73e7b79

General

Target

72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe
Size

172KB
MD5

72593a603eaabb54cf4fde67ac168b88
SHA1

94792dea0ca2aeb8a619c80ebed2ffcb4dd8465f
SHA256

ef6860d992093497d74c885b7c17e390c637df00346c2420d457500fd73e7b79
SHA512

d7b9fa40ccbe834758b8a5176162ad538ac820aa0a09177d38a7770b196e34956d9cfa914ea27957c1fc25052c5b00436c2a64084e481868dcb1cc6955dab757
SSDEEP

3072:bZSto+pGR5JICSEg82fXGr06p7TfS/PQ5YCjlhBYgIpYG21OlCE:aE8CSx82Oz7T93BhBYzpYzS

Score

10^/10

discovery evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2092-1-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1304-12-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1504-79-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2092-80-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2092-169-0x0000000000400000-0x000000000044C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\F1D.exe = "C:\\Program Files (x86)\\Internet Explorer\\D3A3\\F1D.exe"	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\D3A3\F1D.exe	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\D3A3\F1D.exe	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2092	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe
2092	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2916	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1304	2092	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe	31
PID 2092 wrote to memory of 1304	2092	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe	31
PID 2092 wrote to memory of 1304	2092	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe	31
PID 2092 wrote to memory of 1304	2092	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe	31
PID 2092 wrote to memory of 1504	2092	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe	33
PID 2092 wrote to memory of 1504	2092	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe	33
PID 2092 wrote to memory of 1504	2092	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe	33
PID 2092 wrote to memory of 1504	2092	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2092
- C:\Users\Admin\AppData\Local\Temp\72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\31714\74ED3.exe%C:\Users\Admin\AppData\Roaming\31714
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\72593a603eaabb54cf4fde67ac168b88_JaffaCakes118.exe startC:\Program Files (x86)\14346\lvvm.exe%C:\Program Files (x86)\14346
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1504

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

4

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\31714\4346.171

Filesize
1KB

MD5
39068d6bb7cbb866dc7fc0df8307c3a9

SHA1
93e6aeacf2b812f69946fb79ef0ea67ed975a50b

SHA256
8d5f2e9f25ad02e642353c4d2d749a7579b61b75ea0971b1d697ac5b6fd93fc2

SHA512
c79bc31159046128bac923c3ce089afdca9740e6c44b265738b2e592c06c600084a90caa052b35998635df8f7073e322da856387bc731a88b926a8da74647bb4

Download Submit
C:\Users\Admin\AppData\Roaming\31714\4346.171

Filesize
600B

MD5
a3839d2701e0a874442f4f545613aea8

SHA1
71cfc0ba991b800a8f02c8fda6733e0754bdab36

SHA256
7e886093d5037c0d64ebb9f82dfc9f80a0e85d0c5bdf52a5554eff601a5da119

SHA512
36003b6a07f54553b24ed8614693a26e88e96f040a900c7eca8ea95c0f4dfe0636d211d5ba9bea8afb7556c623489b80bfc82c7b6ebbb338380c64993b59ee94

Download Submit
C:\Users\Admin\AppData\Roaming\31714\4346.171

Filesize
996B

MD5
3dabe4b4f381928d42b49389d274b6ac

SHA1
b728b812a2fbe858a84e7635f4f2b6171c6c6ce6

SHA256
196d53be97eb572a3bf72ae737e878f1ef244149aa009db74b7c0a1b090d52b5

SHA512
169341ed93970a36112111f5786bdd81efae6d760667524a5163b833d4b333d8cf689aa569dbd39097decc04c7466ea8f07a95d6e293d253a6e3b5b6a3c18039

Download Submit
memory/1304-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1304-13-0x00000000005C8000-0x00000000005E1000-memory.dmp

Filesize
100KB

Download
memory/1504-79-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2092-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2092-80-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2092-169-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads