b52796f499e7b4862db4abbba605cd32cbb2581016e67ad6dcc4c4ab078d1738

General

Target

81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
Size

872KB
MD5

81c96f910922c8c0219f4a323f963972
SHA1

476f6166743fb0ac5a2d487a2cb6758d6671a0a2
SHA256

b52796f499e7b4862db4abbba605cd32cbb2581016e67ad6dcc4c4ab078d1738
SHA512

fb1fc5e6b0d1dcc85d4cc2fcacabb77b23cfe05acc22ac62801b75b8c9c17186ca41c81272376981d1a72a77d19b43696238fab74dcbbec18adaacf53802059b
SSDEEP

24576:nchRlqUeapTMr94ci4zHgDwkVYEUROSe9SPsH4++nmoJI:nONpTMuxsQV5BSe9M1++nZI

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\Hosts	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000017559-8.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a000000018654-11.dat	aspack_v212_v242

Loads dropped DLL 3 IoCs

pid	Process
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000017559-8.dat	upx
behavioral1/memory/1768-10-0x00000000003B0000-0x00000000003F8000-memory.dmp	upx
behavioral1/memory/1768-14-0x00000000003B0000-0x00000000003F8000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\788550483772.sys	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
1768	81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe1025418\com.run

Filesize
156KB

MD5
787d18f0ffa2ae840a8ba4f9c5e14f20

SHA1
2eb2eaaf084c92c856fc22865cd85738d21c1ed0

SHA256
d37256cc8b9063b483033455f6feaac0bfc5ce8a1688c4a6e167120909996bf0

SHA512
e463dc5753af02d67173da653cec984d4f870f9c5d514b82d0300878fb0fbcbde1e4c65bea50031f4fe2d8146684d900d6defbfcbcaf0772a8c990e46e5b82ef

Download Submit
\Users\Admin\AppData\Local\Temp\81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe1025418\iext.fnr

Filesize
80KB

MD5
b8546d0c3a88077599a4c52eca3d5a97

SHA1
1470a09a892f798b75c10c0b165bd3e65ea432f8

SHA256
c0d69587de55c79f0f4ea69e9fa62d35fb595a3fda406ed243035c5639158816

SHA512
70fb099df16f3575604c4114e48ac54a8ec9ebd7b6008b7f5411b3b3a77ed6847c703a1fd0d00b145c3f41d7529e08ebd37791b261f2cd6aaaa51db21d121b07

Download Submit
\Users\Admin\AppData\Local\Temp\81c96f910922c8c0219f4a323f963972_JaffaCakes118.exe1025418\krnln.fnr

Filesize
365KB

MD5
ccb605b79a83cb1d2e2cfb94c49633b1

SHA1
c531ed3a55c1a3ea3630e669aac448f1efb8f82c

SHA256
beabb1a2bfbd2691bb94d9cad3a797080e473f7fbd9004a19d8cd14e23afb915

SHA512
78d9bff0b2724a16c9c299152bc792c761d876dc7b17f3a4961106da0ed0f2c52a2455d7227a4894d5f4c527be0c7cf1226bc70a427be18e91f57ad6cd5051c2

Download Submit
memory/1768-13-0x00000000005B0000-0x0000000000600000-memory.dmp

Filesize
320KB

Download
memory/1768-5-0x0000000000400000-0x00000000004E44A9-memory.dmp

Filesize
913KB

Download
memory/1768-10-0x00000000003B0000-0x00000000003F8000-memory.dmp

Filesize
288KB

Download
memory/1768-6-0x0000000000401000-0x0000000000497000-memory.dmp

Filesize
600KB

Download
memory/1768-7-0x0000000010000000-0x00000000101B4000-memory.dmp

Filesize
1.7MB

Download
memory/1768-15-0x00000000005B0000-0x0000000000600000-memory.dmp

Filesize
320KB

Download
memory/1768-14-0x00000000003B0000-0x00000000003F8000-memory.dmp

Filesize
288KB

Download
memory/1768-16-0x0000000000400000-0x00000000004E44A9-memory.dmp

Filesize
913KB

Download
memory/1768-17-0x0000000000401000-0x0000000000497000-memory.dmp

Filesize
600KB

Download
memory/1768-18-0x0000000010000000-0x00000000101B4000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing