6fbc83e294998c8bbe4c340cf3ad30a7bfd386f5a414ae62617bcabf18e9f4f1

General

Target

b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe
Size

128KB
MD5

b218aca66db76c6278a9a98cd094463e
SHA1

69cbb170ba245a88af57c3b8f91b8ca46c7b27e1
SHA256

6fbc83e294998c8bbe4c340cf3ad30a7bfd386f5a414ae62617bcabf18e9f4f1
SHA512

0f99ec3b18d3f398a4e082a635fe68e2867aaceb1519965037438f802c8161bbd15ce506c58d5a380e63d6e44351d2386cb5b0c84e1de7d88172d64cf78291e5
SSDEEP

3072:gfoYE/k5MuqR42MeZ4HfN0+f95/6q9MPp4UgssTKBkUj2MeZ4HfN0+f95/6q9:gf9nWzMeZefv7/6q9M6U++BtCMeZefvF

Score

7^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 1 IoCs

pid	Process
4700	outlook.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe"	b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\outlook.exe	b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe
File opened for modification	C:\Windows\sys32.exe	b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe
File opened for modification	C:\Windows\outlook.cfg	outlook.exe
File created	C:\Windows\crc32.cfg	outlook.exe
File created	C:\Windows\sys32.exe	b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe
File created	C:\Windows\outlook.exe	b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1048	4700	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outlook.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 4700	3372	b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe	85
PID 3372 wrote to memory of 4700	3372	b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe	85
PID 3372 wrote to memory of 4700	3372	b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b218aca66db76c6278a9a98cd094463e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\outlook.exe
  C:\Windows\outlook.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 29900
    3⤵
    - Program crash
    PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4700 -ip 4700
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\outlook.cfg

Filesize
1KB

MD5
009e002e5873d547e35ed15ddcc91c15

SHA1
bba639b55a99dbb9441de18b23fd6d3d0e43445e

SHA256
76b8bcd0a4ee1c3f4974ac68f5997a57815e463392ab94ee815da2148a079d1f

SHA512
ca5c43e3a6ee5568f1cd1b1cd5f2eaee0b4226f8c20f64c4d0a177b5969330146dfd185f9ecfee1cc3714d69fdd2f3beb7a4787a88b61e47f7d3c581bf152091

Download Submit
C:\Windows\outlook.cfg

Filesize
2KB

MD5
f4349507b981fd478f940e360b088bd7

SHA1
3bbadda4cceab14aa156da2afb860abf62dca618

SHA256
db855ea7d3ad9ba67b529cbc8620570abf7739221f3966b7f601492e1ca8d5eb

SHA512
df9dd4aa96f1e07fbcdd6301e20c1259c6391447ee829d2d59dc89befbbd4b8a1a9ae8222e03f52c3dff4e374674ac6e39155ae2c8fe068eb5113fe373222e80

Download Submit
C:\Windows\outlook.cfg

Filesize
295B

MD5
c19aad2e5b26747970fbe045bf6beba4

SHA1
7bbec1f5c6536fa159238746e23b9d703f155217

SHA256
3a232c9dfcaa3967bb58aeedfa7ac948b50f79457dc24ce5e26fe7d27accb4a5

SHA512
8be1a2b34277db2a47a51b25e1a23d94ba48fab98cbcc554b11e7f928c0c6b2e4b3fc8706e3ecd094bdb3d7bc51a2760a65e839e25ee84fb97d1de052962d1cd

Download Submit
C:\Windows\outlook.cfg

Filesize
1KB

MD5
b43cf4b48fa069aeece5316e7c8dec61

SHA1
82dcf7fafa1932745ab0c2080606da9898c66995

SHA256
eb3347e67f1f89e99cb4ecf8891d8e5bb6a80cbd6d4d5dd3d6f1d7f43b315218

SHA512
bdc74c78ef9030141ce97592f044066098b91833a82946d27239fb1939fe4e21cc4585705c7927fbe4ac9e5864dfe6fe6f873ea613c9fa0cd5c5b6b0e06cd0d0

Download Submit
C:\Windows\outlook.cfg

Filesize
1KB

MD5
9c5bb567437c639df09eb0439720ef66

SHA1
6957197a331f9297ce2a857ac7eb13b7cf75f54b

SHA256
fb19f02fa1b987b8f354da1615da266b5d72c198ebcc69446131920d479efffb

SHA512
61372a0a7b0203cec73407f23666cfcc9546d44fe2492a676724c1659d388097b8af6ff57174c5165987059002f1cf149debfbdca3ed9c400dad52c5d5f1e484

Download Submit
C:\Windows\outlook.exe

Filesize
49KB

MD5
0e9379e357aba95f8b9883af9b67675e

SHA1
280a174a414e5b8588f42b6328af2c8c8ff4394f

SHA256
96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28

SHA512
6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

Download Submit
memory/3372-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3372-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4700-114-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4700-129-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads