86c6945de0ca2c06f4eda98016b3ae6d8e3e60d89be6c8925470398b5695d4c2

General

Target

84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe
Size

174KB
MD5

84b350883656a8fa8e0a70a9d32131d8
SHA1

c029735b207bcf23cc1cd5095c947c6ddfe806f3
SHA256

86c6945de0ca2c06f4eda98016b3ae6d8e3e60d89be6c8925470398b5695d4c2
SHA512

a60af788592424a22c1e44eaabedd45f4e8ca6458f454e484a1f2239fc87d022f9c810e41f31b7442d62bd4e6a6ac5a934f1adefcc77ad6cb72aaa5b1d7b2fbc
SSDEEP

3072:as71quzfQaEkWfMrdV+hgcnnzqhsMLX5R4q/jZHiUubthYI4Kqfugm:f7nTQ3jErdggcnzchX5Sx5hYlcgm

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2388-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3008-74-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2084-76-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2084-169-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2388	2084	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2388	2084	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2388	2084	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2388	2084	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe	30
PID 2084 wrote to memory of 3008	2084	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe	32
PID 2084 wrote to memory of 3008	2084	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe	32
PID 2084 wrote to memory of 3008	2084	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe	32
PID 2084 wrote to memory of 3008	2084	84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\84b350883656a8fa8e0a70a9d32131d8_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7FA6.B96

Filesize
600B

MD5
6deae37e9873a279d54202464690645f

SHA1
6f796f16ae34a788f07e000360e5ed7c8a4e07f3

SHA256
d992c452452e577ebfeedc07055b278f7c8d09851070741d34a2e17905dc4880

SHA512
b5006b4e44c4fde746adfa5afc911c7a4f849e416dfe6aab159746415e5e3e12ad236b2f61b5f2c7123fdc49507c0921f4fae758a7a7fafb255650dfa1af65a4

Download Submit
C:\Users\Admin\AppData\Roaming\7FA6.B96

Filesize
1KB

MD5
d7ed458c6860c5e0be1cf79749199dd4

SHA1
a9f499dc12e1a7c87a22b21716db41551cb3acea

SHA256
eee585818031c309d5c3bfc241411342fd1fcb9e22a75cf527dd390d521913c3

SHA512
caf9a59c989700ac83dd62b554c61e1ef97505e87c9260ddd8a47b88901397643622781ddcfa73ca5211e66ef69c78bbd4e5ae6b10ad9e6dfb557838980b227d

Download Submit
C:\Users\Admin\AppData\Roaming\7FA6.B96

Filesize
996B

MD5
10441276fb64b4ef01cd86d1a26e4692

SHA1
a12a19bd28cedf0f92d6346824f4d841282084e7

SHA256
9a53ff3fe367a61a5d48665b5d89cbdd7275d60f41b0b4d1ca85decbdeef9710

SHA512
b01cd691ef69ebdbee058d6e5cc6e400b7f6951a6cbcede98437c75b07eaf3ec95cd47573824be83507754d79e328b8e87c12f9b76ecdcfbea971a88b276d9c2

Download Submit
memory/2084-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2084-76-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2084-169-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2388-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3008-74-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3008-75-0x0000000000916000-0x0000000000930000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads