af51e4baf2ea2eb1a4ee2cc43ae90a7f0e677d5d800aac137cd450ff8c24c64c

General

Target

8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe
Size

192KB
MD5

8693659ca36156b5201f4bfa9496be28
SHA1

56985e2b4076ae24a158185c9aaf0e078b996081
SHA256

af51e4baf2ea2eb1a4ee2cc43ae90a7f0e677d5d800aac137cd450ff8c24c64c
SHA512

3d43093d05d30606dc416b2894c7b8684f6f2bd91c3ec3c9251d415f24e72b2a0c8345ed70bd964cd7f4b0cdafef09803ddb8c10235c4f52ae6260181fca638d
SSDEEP

3072:fLtDELuYIvlaFahQaPVXkB4kpqMCgqAPlIAm0KbQDI1Bih+ZaFxZip6meDGU:fq4l2ahQAVfk8hgqAN9sDBiXxG+G

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-2-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2516-12-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2052-72-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2372-73-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2372-193-0x0000000000400000-0x0000000000470000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2516	2372	8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2516	2372	8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2516	2372	8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2516	2372	8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2052	2372	8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe	33
PID 2372 wrote to memory of 2052	2372	8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe	33
PID 2372 wrote to memory of 2052	2372	8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe	33
PID 2372 wrote to memory of 2052	2372	8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8693659ca36156b5201f4bfa9496be28_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\237B.7F5

Filesize
600B

MD5
fff6581996fe8e37f1328101986f78c1

SHA1
f407e48f14ddbe5917b4bf263b2832e18c0d411a

SHA256
0624914fe9e6eacbd6e9ca8ea412492eef0679ce7a048fb49d8f1d3b74e014a6

SHA512
3953d055e34845fd7cdba0bce5e66bc4ab453e32b4d890f1eb4331fe3cf13bc002ed1318b8fd243c160e07ffebaf47e981a35086db06bd31520c1e7cdb7973e9

Download Submit
C:\Users\Admin\AppData\Roaming\237B.7F5

Filesize
1KB

MD5
810841b992fe26b2863ddabe9bfafd65

SHA1
ee63739646026ee1b006260d818930419616a206

SHA256
25f52dbd86bb259db044254900bbc28de157aa4fe51d157f096f6593fa12ee0c

SHA512
3e8745a81c648e41776709e960590566376a4840b0b1621673606817fdab32fcadc445bdbc1462ead56565c928f72a63761153478577a61cbd9c15ca1fc77977

Download Submit
C:\Users\Admin\AppData\Roaming\237B.7F5

Filesize
996B

MD5
6d4d400016377e450a449db9d0760474

SHA1
b867366156d913faa7aa25182c840b6fdeb37797

SHA256
99cfa8697d2437433c22258b2c541c31a8507ae015e347eceb465199027789cc

SHA512
24f81098c1aed8208906f945dbb25771800752cea678b3a87ff07e346778c6e25b34debeb1808f1cd8123caa3f60af05e5bf9258cd026b561bf78ec41e77d6cf

Download Submit
memory/2052-72-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2372-2-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2372-73-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2372-193-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2516-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2516-13-0x0000000000635000-0x0000000000654000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads