e2611e59bdbe1d8ad65ff0a65888a72a2793bfe1c3f06e0643c8c74bd980b36b

General

Target

85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe
Size

1.2MB
MD5

85cfa171acd737a81dd41e820b0568b5
SHA1

963c7d7de8189801add7d1865c43ccec0f1f75bd
SHA256

e2611e59bdbe1d8ad65ff0a65888a72a2793bfe1c3f06e0643c8c74bd980b36b
SHA512

0f5ddba20cb7997115dc15e696f16fb761fd8e20d3f22a96bf6e579e46532a15b26d72a566edfe4f290e399f72998bb454468cb52fca6455bc61e64e41a64199
SSDEEP

24576:kpQN0dUo06gV4WOUGMWpsbGESKeRXlTzcSD0U4HCicHq5NO3sXJK1xrU:kw0n06ySpsbGVT0xHzLi3sXJEpU

Score

7^/10

credential_access discovery spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
6104	sockschain_setup.exe
6192	setup.exe

Loads dropped DLL 11 IoCs

pid	Process
6004	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe
6104	sockschain_setup.exe
6104	sockschain_setup.exe
6104	sockschain_setup.exe
6104	sockschain_setup.exe
6192	setup.exe
6192	setup.exe
6192	setup.exe
6192	setup.exe
6192	setup.exe
6192	setup.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000017801-122998.dat	upx
behavioral1/memory/6004-123000-0x0000000002280000-0x000000000228E000-memory.dmp	upx
behavioral1/memory/6104-123048-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 6004	2928	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sockschain_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6192	setup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	6192	setup.exe
Token: SeRestorePrivilege	6192	setup.exe
Token: SeRestorePrivilege	6192	setup.exe
Token: SeRestorePrivilege	6192	setup.exe
Token: SeRestorePrivilege	6192	setup.exe
Token: SeRestorePrivilege	6192	setup.exe
Token: SeRestorePrivilege	6192	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6192	setup.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 6004	2928	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	29
PID 2928 wrote to memory of 6004	2928	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	29
PID 2928 wrote to memory of 6004	2928	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	29
PID 2928 wrote to memory of 6004	2928	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	29
PID 2928 wrote to memory of 6004	2928	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	29
PID 2928 wrote to memory of 6004	2928	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	29
PID 2928 wrote to memory of 6004	2928	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	29
PID 2928 wrote to memory of 6004	2928	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	29
PID 2928 wrote to memory of 6004	2928	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	29
PID 2928 wrote to memory of 6004	2928	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	29
PID 6004 wrote to memory of 6104	6004	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	30
PID 6004 wrote to memory of 6104	6004	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	30
PID 6004 wrote to memory of 6104	6004	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	30
PID 6004 wrote to memory of 6104	6004	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	30
PID 6004 wrote to memory of 6104	6004	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	30
PID 6004 wrote to memory of 6104	6004	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	30
PID 6004 wrote to memory of 6104	6004	85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe	30
PID 6104 wrote to memory of 6192	6104	sockschain_setup.exe	31
PID 6104 wrote to memory of 6192	6104	sockschain_setup.exe	31
PID 6104 wrote to memory of 6192	6104	sockschain_setup.exe	31
PID 6104 wrote to memory of 6192	6104	sockschain_setup.exe	31
PID 6104 wrote to memory of 6192	6104	sockschain_setup.exe	31
PID 6104 wrote to memory of 6192	6104	sockschain_setup.exe	31
PID 6104 wrote to memory of 6192	6104	sockschain_setup.exe	31

C:\Users\Admin\AppData\Local\Temp\85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\85cfa171acd737a81dd41e820b0568b5_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6004
- - C:\Users\Admin\AppData\Roaming\sockschain_setup.exe
    "C:\Users\Admin\AppData\Roaming\sockschain_setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:6104
  - - C:\Users\Admin\AppData\Local\Temp\cab4BDF.tmp\setup.exe
      C:\Users\Admin\AppData\Local\Temp\cab4BDF.tmp\setup.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:6192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cab4BDF.tmp\SocksChain.exe

Filesize
373KB

MD5
62b918b33d9d746e0314c6d4568ae6b3

SHA1
4980c93ff5f3741f005138e1f3f057d357b0d256

SHA256
619e0db150cfd60c3b17346f7ee0830b48d1e826fd885432f3bdd92e81a91e40

SHA512
0dba83fbe1a00b5d490d2207de156277e1cd47fbf25ccb716ef6ea6733dc88ed1b40b187fc84aa1cd9f9792017c2267d1634d89540d35e0cb587dbd9844fcc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab4BDF.tmp\license.txt

Filesize
2KB

MD5
c255f36cb1185519bacb3a7ea3dfe6cd

SHA1
dc371fa0a905b28fca66622df9fe4dc0e98c422f

SHA256
ce6505daa3ecf27dd4a27cae25bd849bbcfca1d6e762d944d724408155944c2c

SHA512
f3dc821a6251c6a1cc4ac1ed1e912599810d2305658b47bc1e9737b912317986d04ac99e3acf6d31438758782a3c0122f20fa371e463e9ef41ee347acd05de3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab4BDF.tmp\setup.inf

Filesize
1KB

MD5
1eeddda140ea3cb83c950d7b37a2f806

SHA1
e8c15cfeab5e59bf8f1727b73dd06ba5143ca050

SHA256
1b14d4734dd78b593c7bfeb4a387d591b37c609c339c2254c41fd4a17fcf9b65

SHA512
87f2452c9376018497469945f715f5989e031f1e404bf6bafe13421f3451004d11ac3c1f280ec086634bfbc1f686940f940a41bf1d036e8d16995f8f544fcb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab4BDF.tmp\usft_ext.dll

Filesize
350KB

MD5
e7c79ecfaaa51cb28fb1bd2a586af56d

SHA1
e744bb161d93a98c40ca6c57df5201ad37ce0a7b

SHA256
33e607fd69a05aa47f9055e3037ddcac187ca321b01a4b9f0c43e78f09741be7

SHA512
50b5e05f54b67bf1e21935c61afe41373c9ed87c93995c88fc6d95a6d87d6cab04e0d1aeeb79b288ce8b383bf56e09a9f4951e7b8e5089d2a99d544379b3429e

Download Submit
\Users\Admin\AppData\Local\Temp\cab4BDF.tmp\setup.exe

Filesize
42KB

MD5
e4ad19089972fa87d4c31db615272c7d

SHA1
b5c58cdc4aa48df4110ec9d689caa552aa4ec440

SHA256
533a4b61c2beca9ffdac67b5c413a708588da1d8005f2669b85274d3c04998a8

SHA512
42e1b38003147d7dcfeac4e5f6de5f7936723ae255172d4e3aaa41b6ad4a2f82d58b98bb004382c1643dbedc2a72f95fc5765b6037acccf24a96146177707c67

Download Submit
\Users\Admin\AppData\Roaming\sockschain_setup.exe

Filesize
859KB

MD5
7376723ad60c74148a4b3cdae8da8285

SHA1
5434c26cfb482c18c0df506ebcf1c4144c0ef87d

SHA256
0e3ea523bfedff21c8a5a3531716dc3c6e7a38b522e862e62dfee49cac322835

SHA512
7e1566351dcd9b9f4a22f3cecfdb25e7b51061ec8049304f8bc79d27f556e6126f5248a6694353fbaf9e4711278650c747873b5de3fd654883075535f6592f61

Download Submit
memory/2928-60-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-30-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-18-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-26-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-28-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-32-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-40-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-46-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-48-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-50-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-52-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-54-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-56-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-58-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-0-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-62-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-22-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-20-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-34-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-36-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-38-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-42-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-44-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-24-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-2-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-4-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-6-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-16-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/2928-14-0x0000000000530000-0x0000000000666000-memory.dmp

Filesize
1.2MB

Download
memory/6004-123000-0x0000000002280000-0x000000000228E000-memory.dmp

Filesize
56KB

Download
memory/6104-123011-0x0000000000020000-0x000000000002E000-memory.dmp

Filesize
56KB

Download
memory/6104-123012-0x0000000000020000-0x000000000002E000-memory.dmp

Filesize
56KB

Download
memory/6104-123048-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/6104-123049-0x0000000000020000-0x000000000002E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing