8361b0d803cadbec4c2244e9298f30a9ebe611e86df3f1fb6898726c2beefd12

General

Target

7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe
Size

177KB
MD5

7537a43b8f9cce1e0d3543d6096a2632
SHA1

d4c7171257af5a23a4af25029e1b157d1a1ecbee
SHA256

8361b0d803cadbec4c2244e9298f30a9ebe611e86df3f1fb6898726c2beefd12
SHA512

2f4f5db2dec892ec2507fa641e933726d14ca2b8015b8458d7e5de855dfa7cbe2e956256691063e599bc7fb4af7b595a8d366098c33f7f641d708cd2383ac096
SSDEEP

3072:/mTumYf69yfyRkooAVR+JfTLHrtDdzig8zCdQ27tT9rpjVd:sQVdoofP5p6zKQ27tTjJd

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-1-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1772-11-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1724-74-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1596-76-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1596-75-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1724-169-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1772	1724	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1772	1724	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1772	1724	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1772	1724	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1596	1724	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe	32
PID 1724 wrote to memory of 1596	1724	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe	32
PID 1724 wrote to memory of 1596	1724	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe	32
PID 1724 wrote to memory of 1596	1724	7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1772
- C:\Users\Admin\AppData\Local\Temp\7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7537a43b8f9cce1e0d3543d6096a2632_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B170.256

Filesize
600B

MD5
33bf91788b334b9f422f7ebecfa70e47

SHA1
0edeb8dc909d3297d62271fea43f1af613e1c38d

SHA256
235ec61aa9d9f36f47e5d3a1dd8c7cd008a0a1faafe8a404a13e1f08f24b0567

SHA512
0d742b074a373a496f04efd9d268d93b646977d78cca425e159903a758efad7b3d825282570baf4dac43757d9c173a1e3649c3ab539e99d6cbaba623fff55740

Download Submit
C:\Users\Admin\AppData\Roaming\B170.256

Filesize
1KB

MD5
81b37505e828212fe72257fb2fe326b0

SHA1
96fc70e8d00b71eb91ec05c1602564b6becc48b7

SHA256
c7492d092d878d20a2e4dead701a2fb64ded45c69afa39c723bd73e9200731ca

SHA512
cb26b9aa1bd90cdf3f6bccd1ccec65ecf59ddf328ec5426c63c94c5b49098047dc719f67d8f9f27ae19d942a2520b40cb839545cd828a0250a30e96836cca007

Download Submit
C:\Users\Admin\AppData\Roaming\B170.256

Filesize
996B

MD5
d5cb6836f1b303f324ef97634724cdf0

SHA1
34483f52367a66e0d7a2601e2f9dd0c9d4d1c9e3

SHA256
d315531d037a1245f6ab4fd6a82a1e7afb5092adce4bf2b1b983a9dd6e212cc2

SHA512
9ed45a7eaf0ccf490110bc31bcadd21e5dce15bb5cdfbfe954e3da3d842c268c847159cff5f9f3d135659c69cb5824e43b63826c730bff01f28f858a8714c8de

Download Submit
memory/1596-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1596-75-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1724-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1724-74-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1724-169-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1772-11-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1772-12-0x0000000000578000-0x0000000000594000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads