9b57b215e59de5823b0ac6e9f6689c3ca6971bfa309568b4e3e9114f9112b2fc

General

Target

866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe
Size

183KB
MD5

866c8bb63f6289832d95a8925eb07db6
SHA1

8c8c9a8fa2c8b1dbae3e104c09005b3bc5dad175
SHA256

9b57b215e59de5823b0ac6e9f6689c3ca6971bfa309568b4e3e9114f9112b2fc
SHA512

7300412d8366f9a9ebd90e2f3d67d8ff89c76e760531788b09925e513e4812a7caa746a444b7b338970e58045b9df50c95373c9a5523dc6ed3d0fc7ed702a36d
SSDEEP

3072:RwK+yDUmJIuEw1UnUYs9tJogQFAZYKlixZy6Na8MYpaSyWf8nfsemQBY+ySS0N:aK+yDUm9WUlNTQGcy6E8XaSNKssyS

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3064-1-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1940-12-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1940-13-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1484-85-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/3064-87-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1940-163-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/3064-195-0x0000000000400000-0x0000000000470000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1940	3064	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe	28
PID 3064 wrote to memory of 1940	3064	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe	28
PID 3064 wrote to memory of 1940	3064	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe	28
PID 3064 wrote to memory of 1940	3064	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe	28
PID 3064 wrote to memory of 1484	3064	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe	32
PID 3064 wrote to memory of 1484	3064	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe	32
PID 3064 wrote to memory of 1484	3064	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe	32
PID 3064 wrote to memory of 1484	3064	866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\866c8bb63f6289832d95a8925eb07db6_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4BEA.2B1

Filesize
600B

MD5
0509458781af6dd58668215ca6b7cf5f

SHA1
9d8c32e3814871a1beedf2d36366af5b35424454

SHA256
87d21071ce9cf77a3941ffc90f5cb055748d785d67bc93eb22b32bbeb7c84d9e

SHA512
115fa99fcb2eaa0afeb29894d41f449ca26935178ea739d70dbeeb5bb5c6e44238feee642a7843aa59b492212e077cb3d062a43c0541ec943d57c8c9ec555d30

Download Submit
C:\Users\Admin\AppData\Roaming\4BEA.2B1

Filesize
1KB

MD5
3e2d0935abbe1356c23c42d5a0ff9291

SHA1
1e2c4e0f51c5ca358782869f4fd7589870a0feaf

SHA256
65de4df5116b6fe0df6037fde9df23467790c5c160f961063bbca62791566470

SHA512
06fecf452e207d8d9cd790ae05c67acd514cc386b9c465816415617861c969335ba70bbb386a2a13b2344bd758e7ecba2e8b1fbb5c0d34637fdff5cfd296d693

Download Submit
C:\Users\Admin\AppData\Roaming\4BEA.2B1

Filesize
996B

MD5
40bb07c351cf3c8e7df20ff83d370080

SHA1
470a994767eb09614a5c4633c0e4f47f8577a2c1

SHA256
6ca742e9203c9842820ff76f57158d7be0f8212520f97859ee5d8eba718eed7e

SHA512
3f27221eb632d22751e53956824e90f4c0ec81e83e9bfed23458b63eaa976d0a8911033c1fb535ccfca1f67f8b54da287cb1c7a41bd8af64b6a04b2bbcb0f7b5

Download Submit
memory/1484-85-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1484-86-0x0000000000627000-0x0000000000644000-memory.dmp

Filesize
116KB

Download
memory/1940-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1940-13-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1940-163-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3064-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3064-87-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3064-195-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads