ef723724652c009262a5157274318e530cfcdcc0018c503c7d19bf0244fd3739

General

Target

a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe
Size

169KB
MD5

a5cbf195c59de1dcf5bab1df754597e7
SHA1

837efed6876fc069c0afd60f7abfe67faf92c620
SHA256

ef723724652c009262a5157274318e530cfcdcc0018c503c7d19bf0244fd3739
SHA512

e94ea114392f9139d065076fcb80822d86f0416757a41989f8d095ddf153850039198773b18fb56c234840603ce8c6c19c89a8cd8e8ffda88067594c3bc1be58
SSDEEP

3072:hvTystzwmp8wFxuw+O8lnUIpAKuMP5QSIrrHJOVtZM32ZM7qymS4ZS4qTnVJX/CO:5zxawFIp1cKZQSqrHCY2ZuqEklqTnV

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2752-2-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2876-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2876-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2752-14-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2820-80-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2752-81-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2752-176-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2752-213-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2876	2752	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2876	2752	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2876	2752	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2876	2752	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2820	2752	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe	32
PID 2752 wrote to memory of 2820	2752	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe	32
PID 2752 wrote to memory of 2820	2752	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe	32
PID 2752 wrote to memory of 2820	2752	a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a5cbf195c59de1dcf5bab1df754597e7_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\41E1.9F6

Filesize
1KB

MD5
a61bed0312cc1797e14c1ef147465f19

SHA1
341db3eedd7721d20b78b3d642c01dd5a5bcfadc

SHA256
c42a9be2fbb8b31033a05d46d538759345fff6eb738487a7bb35551661d34c8e

SHA512
8953d707ac9a86b4987f2d3ecaf2ef28b54f353008348c9835c961e2df8992f1339449abf168ec42c01a226023ff74fd30258d56291f66140089ad8cd32fc15d

Download Submit
C:\Users\Admin\AppData\Roaming\41E1.9F6

Filesize
600B

MD5
760e7236ebd5735184a4bb648a2016d0

SHA1
06f013f1dac3a444a0810b067c9a17d002f8ebf9

SHA256
0fc587f035c0ca26a1b541cc388c96f4a663670b3e8a78c4a70220d999c1d14e

SHA512
9520b98e6bf5268f4477341ee569cfb13d368b26f7819869a97a8e6ede9abf387f694f1bc4d91010d27c42a14ca50486998ff38e0f852ee0d930240da0987099

Download Submit
C:\Users\Admin\AppData\Roaming\41E1.9F6

Filesize
996B

MD5
250a5ffdcc318ec0264492ba239586ea

SHA1
95eee18926d7c958cd825dbd6cb34f243186fffe

SHA256
61c936619f4b917c6af3223b9876eb53f85252875ce7c28dc5e5fbef87940b1f

SHA512
7e33b35f2082e277c55ce43a730acf417f66c8d4db64ba5970efa301d95c2d468480db946d078487ac958d8535fd64cedbf070d83d21a47db62613f51cd110d1

Download Submit
memory/2752-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2820-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads