c8f9b766c190d78e8f8676e16b45ced909605ae3ce27fd17f6bdd53cc92cb328

General

Target

af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe
Size

165KB
MD5

af985d4008865ceb92b99b79e9d2a1ec
SHA1

943913af93434f6eddbb3c57b1ddfccce3c70169
SHA256

c8f9b766c190d78e8f8676e16b45ced909605ae3ce27fd17f6bdd53cc92cb328
SHA512

b33d1b77ce9f91f0c0d17ae22f07c1ef53b2069f227813f8a8efe647b7e9181432c799cb6680f18424ffa44d6d58a70719f66e2a5866451f8b6928d74655126f
SSDEEP

3072:4iY/vHi2r8KhmF6CVjwSkLga+tpznaM8JoGD2Kv839yjzK7kuZRpVRNmddPSi:UHFIQCRkLEaZoGD2G839yzq9RBNKdqi

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/712-2-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2428-5-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/712-8-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/712-68-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2160-70-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2160-71-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/712-131-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/712-134-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 2428	712	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe	30
PID 712 wrote to memory of 2428	712	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe	30
PID 712 wrote to memory of 2428	712	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe	30
PID 712 wrote to memory of 2428	712	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe	30
PID 712 wrote to memory of 2160	712	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe	32
PID 712 wrote to memory of 2160	712	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe	32
PID 712 wrote to memory of 2160	712	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe	32
PID 712 wrote to memory of 2160	712	af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:712
- C:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\04A4.0C7

Filesize
300B

MD5
d678054ba7343317463e596f823f195d

SHA1
02d01e62aa28ccb6dc9f4f956ffbc1d072e5b8fc

SHA256
de1f9310384e02543c7294f9f3a2f6dfc080f0049d98d0d378c49348f06b9001

SHA512
539fbdb65e79b12a07d6b96dbb1644fa628472967c6966d02e16a63a27c5ca54b09c34e5a0ad5b9916f5029b35445aa89dde23779ee54da20a91a218989d04a2

Download Submit
C:\Users\Admin\AppData\Roaming\04A4.0C7

Filesize
1KB

MD5
9a956e1a6a00b8d875b3034aa121c495

SHA1
32c8cce92aefc6ec70f641fc232d54ea9a282231

SHA256
6301194cd97cf13fbb819ab7dfe73666643b52cd36ad53e31c8b0a278bed0c72

SHA512
aad6d4b2864051c56094e1f4fc68ef121fbb79df2f1deec25368cedeebfec2177c709eedd0f01fe15f99ed21e28db822a68bc1e85f35348a0f22028c431d26bd

Download Submit
C:\Users\Admin\AppData\Roaming\04A4.0C7

Filesize
696B

MD5
5b4f76687cfbfad71ee4103d04a305a0

SHA1
ab0df1624d342ae47f8d1c65e9c8274da2b4b9bc

SHA256
eeed86373c0600c136e8ba624978f939ad76ccbeb212d6249b7cd5ccf10fe81a

SHA512
71d13f89077967282d1b0a6e7f5b2ae74bf50b773bcd72d88fc692351fc31690e82346a8df8d6c2dd68bf8dd0d0c994d0b57532893ea3ead0bed8675b31c4bdd

Download Submit
memory/712-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/712-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/712-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/712-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/712-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/712-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2160-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2160-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2428-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads