5e8b23b7b147823fc733d78fc1ffd4b48eade62c4651c92160bef5c8af2c5902

General

Target

8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe
Size

175KB
MD5

8ebb5d6d5f2dcdd33a82bc2153ba9f23
SHA1

c84e0f1196dcb96871d2d06839cd07ce0fa949f0
SHA256

5e8b23b7b147823fc733d78fc1ffd4b48eade62c4651c92160bef5c8af2c5902
SHA512

2531fdfba2b85eb420b0cdbf73cc448690c56de0f0cd610da272477f3181de66ccc1b586b4792457ed37d5625a5299fc920f6f7af202d564629a20c46404e89e
SSDEEP

3072:la7TcoqnNcv2NhgLWOv9LTOedfLjH0wQm8gz2Ixf:5oqevYhgSOlTRLjHCU

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1864-1-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1864-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2220-6-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2316-84-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1864-85-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1864-192-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1864-197-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2220	1864	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2220	1864	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2220	1864	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2220	1864	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2316	1864	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe	33
PID 1864 wrote to memory of 2316	1864	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe	33
PID 1864 wrote to memory of 2316	1864	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe	33
PID 1864 wrote to memory of 2316	1864	8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8ebb5d6d5f2dcdd33a82bc2153ba9f23_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0516.52F

Filesize
600B

MD5
4baf34517a3d2e3466c0ef116f9ab9fd

SHA1
74801ddd10a0f255b5140a54b1ef190b41b235fa

SHA256
5c4a8000f8feab5fa0a0895857eecae5934bf80c4ccacb0ab0804f0e32721570

SHA512
f5a1c3fc68f93599d1ec7a1e0956732e06cd30f83f3ec66b5a18b1c725b4cbe64a0ddb90e02142004e9b8f22ea83356721df21178c3e0aff7538fca5479ceb4a

Download Submit
C:\Users\Admin\AppData\Roaming\0516.52F

Filesize
1KB

MD5
b819b854c256353e240fdc7a07e09df1

SHA1
74dfc185ff94530c65481ffd2b05fbee5d48e7bd

SHA256
f96baf01260b8e89f68971a79a75ac5abacfa0925b165dbff2f83fc7a2f3fb85

SHA512
009d127f27bee9c1aace03b4b4755b847fa3cb42ec2bf4b08ebe12bb2d57cda9cbd43904da8d680b242df607657e11c7cad1c1f1222feed9557e35a4e8fd7d89

Download Submit
C:\Users\Admin\AppData\Roaming\0516.52F

Filesize
996B

MD5
74819fbd570e433394ea593a95c5c960

SHA1
8c03ca31a2781bb5fb41ac618f30911b3320e744

SHA256
35d913604c1a18f43bbd0a1372a72669a60c5c19ad22b9f97ee0a8f758f751ec

SHA512
1d0523bb77475cbfb2347e02cfa46631ee31a7b29c2a115e0289095647d289de1ad69fe88555fa54880990768cfc730f84bfaff711637a0213a6be9ae31bbaad

Download Submit
memory/1864-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1864-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1864-85-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1864-192-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1864-197-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2220-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2220-7-0x0000000000645000-0x0000000000661000-memory.dmp

Filesize
112KB

Download
memory/2316-84-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads