89c24502cf4afba435fc323def3c6d710c2560949decb113dc49e4397049f0e5

General

Target

b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe
Size

185KB
MD5

b2f6c22711f7e20fc5bdfc24783d2fc3
SHA1

8266263db0ebe346e46aa1bd3ffbeb2da2f575e6
SHA256

89c24502cf4afba435fc323def3c6d710c2560949decb113dc49e4397049f0e5
SHA512

e25741c250c9d1cb0da1c6848ad67b456d7ae2c57745a6cb4c88d471471029b17c2753e72976daad688bf51029d0143675c10d016b0b772c8a671e3f2c62a79f
SSDEEP

3072:GxTTjrZ8LF4X9FRKcM3lK0hMY9vEqjJ6msfZacvbMCau2EbSVBrB2JI4pDqW+vMb:GdHZ8R4X9FAljw/xlvgjo2sJqW+FuYGz

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2144-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2180-7-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2180-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2180-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2144-15-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2144-78-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2572-80-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2572-81-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2144-180-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2180	2144	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe	28
PID 2144 wrote to memory of 2180	2144	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe	28
PID 2144 wrote to memory of 2180	2144	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe	28
PID 2144 wrote to memory of 2180	2144	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe	28
PID 2144 wrote to memory of 2572	2144	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe	32
PID 2144 wrote to memory of 2572	2144	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe	32
PID 2144 wrote to memory of 2572	2144	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe	32
PID 2144 wrote to memory of 2572	2144	b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\b2f6c22711f7e20fc5bdfc24783d2fc3_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AF27.85A

Filesize
1KB

MD5
11e647032ecf7d24a3fd140985785e18

SHA1
e8fdd15c661abbb88d23f90e63a5318335424dd1

SHA256
6eb648758917f9c2706a0125382f481bda83d96ec4397795ee772c7685133795

SHA512
d348588c4c58a7fed6a5580693cf7ebaa801638c3a078e6b7eba33f6c08bc61db4f9d4c088786f903cb7a8a4108155d25dd7aa37659e283983bca4ddcce54696

Download Submit
C:\Users\Admin\AppData\Roaming\AF27.85A

Filesize
600B

MD5
784969258d7c8bcb1e62339a3557d515

SHA1
fbadcbd111c77669ca7e177db0fb914ba5c70e55

SHA256
d7823ac59712622447e30fa17902b704dc1b48c3cc9af3395baf7f4ae700dc97

SHA512
4ee54c70eaf883748b3506023ec72f0306e0154f08f581aec0e91aa9405e010b14bc998f49e4e1349f7379b6cb562fab188b85219bff5e3d8f519c6675e5cf8c

Download Submit
C:\Users\Admin\AppData\Roaming\AF27.85A

Filesize
996B

MD5
66312b3888cfd3b5e4d987efaf11d929

SHA1
068379c216d20eba8d072fec2a0a69b798d851bb

SHA256
a43aa298069eecde88585f7666d1d06d0bc4399a8273c004d8619505a066fbaa

SHA512
c91c951b7b4b9ac0d4ab7671640103134bc798944a551acabfa1d17d55796353f47c2b3c3c3c1f60afc8c6d753f083677b971ecd3041a129ff3f6c9743ce8cfa

Download Submit
memory/2144-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2144-180-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2144-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2144-15-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2144-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2180-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2180-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2180-7-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2572-81-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2572-80-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads