e3b123ab1fcc11ede53d7bc05434a63160fc7832cec12631a55e8f04c152e78b

General

Target

ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe
Size

128KB
MD5

ab5d0d25b309a7f63fce048feaf59e2f
SHA1

fb44edd5a073d5f089c8b105e390bccd57380519
SHA256

e3b123ab1fcc11ede53d7bc05434a63160fc7832cec12631a55e8f04c152e78b
SHA512

1daa9bbfa1b2dada8c4157a7fe32c6517970d54a2f16392dad9e9459f7017d9597a257d0fd013680d3e54db7d91b5b08ef51a8d185597526b7fe52fc6fb370b7
SSDEEP

3072:j0/MimmNALxSKPt0eIAAK71LbVUrjXwqufSKPt0eIAAK71L:jiMi/aLxjdd1LbVUrbwtfjdd1L

Score

7^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 1 IoCs

pid	Process
2172	outlook.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe"	ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\outlook.exe	ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe
File opened for modification	C:\Windows\sys32.exe	ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe
File opened for modification	C:\Windows\outlook.cfg	outlook.exe
File created	C:\Windows\crc32.cfg	outlook.exe
File created	C:\Windows\sys32.exe	ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe
File created	C:\Windows\outlook.exe	ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3560	2172	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outlook.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 2172	4896	ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe	84
PID 4896 wrote to memory of 2172	4896	ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe	84
PID 4896 wrote to memory of 2172	4896	ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab5d0d25b309a7f63fce048feaf59e2f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\outlook.exe
  C:\Windows\outlook.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 30444
    3⤵
    - Program crash
    PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2172 -ip 2172
1⤵
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\outlook.cfg

Filesize
1KB

MD5
cb5ca3ac5c233a1bec7254cfa65bf587

SHA1
a096a6405635cf114ca706054f9b8bd1909b4395

SHA256
c8e8b669b3d73f7839bf18e12c9914fab3cd1c46be5ceb8f34ae6623adfc8585

SHA512
e7f87fac648f35cd20ecbfc1ab5567edb898cfde02646b97e96d7e0b30f8f8f36001b5e35db4e80d2a311fa8a10e4624b2b286e7c4b14275e243afb8412b082a

Download Submit
C:\Windows\outlook.cfg

Filesize
2KB

MD5
51aab1280ee3cc9ca4515bed4e060576

SHA1
9698644da6068ce16cdeaf439eb527341bbbfcba

SHA256
511cc392d2c026ac0f52449a732b9645ed3cdcc142e7f21c2d754f7a07645688

SHA512
896704d101e69ad42bbdb938ff18daab2eab37586e8f34444d0169b67a712cf0fccbb98b83e759a0f7d86fc43f87c923beff71e5c1d10dc9d28bad231384adb2

Download Submit
C:\Windows\outlook.cfg

Filesize
295B

MD5
c19aad2e5b26747970fbe045bf6beba4

SHA1
7bbec1f5c6536fa159238746e23b9d703f155217

SHA256
3a232c9dfcaa3967bb58aeedfa7ac948b50f79457dc24ce5e26fe7d27accb4a5

SHA512
8be1a2b34277db2a47a51b25e1a23d94ba48fab98cbcc554b11e7f928c0c6b2e4b3fc8706e3ecd094bdb3d7bc51a2760a65e839e25ee84fb97d1de052962d1cd

Download Submit
C:\Windows\outlook.cfg

Filesize
505B

MD5
e568c235dee5a1a47fd7d742e0c44ee8

SHA1
c165d21e5ac79c1c5d05ac9e168bf1ae2bafda0e

SHA256
bc69ae93eef75959c1bf18f1a3ff209ecf2a94c25a94cb1acaa14961865b7fae

SHA512
ae8042ee1a4ba8bfcd70a56e6db0309f5defbee510a7b4913f4a9eb3d2a3d0fc7484603e333d93df18d6ebd0c5fcb4b9a275094a59d7d59f2232a711ea68fca3

Download Submit
C:\Windows\outlook.cfg

Filesize
1KB

MD5
5abc89247c69affd92733436a10a2146

SHA1
722984748f9d376cc01bc2458f054b6a773f83b5

SHA256
c89172825caa3d28602de1bad056d2488f1aa05f6dc2942fdb66e588270ca1a8

SHA512
722c82bc76dc80a9220c85d91183c40504492ccec51683c944085801703fb48526866f6b65c2be42b9b3c49835505536750d6ac8ebfe90b37f649ec29f380326

Download Submit
C:\Windows\outlook.exe

Filesize
49KB

MD5
0e9379e357aba95f8b9883af9b67675e

SHA1
280a174a414e5b8588f42b6328af2c8c8ff4394f

SHA256
96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28

SHA512
6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

Download Submit
memory/2172-112-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2172-127-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4896-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4896-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads