80de3691825a38b1615ed80955541780e2004b920d38ba9cf5fa3008a7b15b49

General

Target

bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
Size

651KB
MD5

bbfa5512ba83852116f5bab28a0941f1
SHA1

c3c8cc856bbfd15cb299bd679d7f4d626c84ad94
SHA256

80de3691825a38b1615ed80955541780e2004b920d38ba9cf5fa3008a7b15b49
SHA512

95f0b40623b8f6b2aa85a2c856ba081522b0ecfd2f8b1eeb66578e5ef09d579635bd5e699f71aad9c18dbdb4d0c29bbefd7087f29c8a5b54840163eec4606ceb
SSDEEP

12288:9n8yN0Mr8pzE2lBFr5zpNhaxp9GWWUD0I/Q8V2u8FFJfIBzDVSNB3x:FPu5Vfc8FFJABzpSNpx

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Isass.exe

Executes dropped EXE 5 IoCs

pid	Process
5080	Isass.exe
4816	Isass.exe
1072	Isass.exe
2060	Isass.exe
4432	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1592	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
1592	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
5080	Isass.exe
5080	Isass.exe
4816	Isass.exe
4816	Isass.exe
4816	Isass.exe
4816	Isass.exe
4816	Isass.exe
4816	Isass.exe
2396	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
2396	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
1072	Isass.exe
1072	Isass.exe
1072	Isass.exe
1072	Isass.exe
1072	Isass.exe
1072	Isass.exe
2092	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
2092	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
2060	Isass.exe
2060	Isass.exe
2060	Isass.exe
2060	Isass.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 5080	1592	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	84
PID 1592 wrote to memory of 5080	1592	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	84
PID 1592 wrote to memory of 5080	1592	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	84
PID 1592 wrote to memory of 4816	1592	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	85
PID 1592 wrote to memory of 4816	1592	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	85
PID 1592 wrote to memory of 4816	1592	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	85
PID 4816 wrote to memory of 2396	4816	Isass.exe	86
PID 4816 wrote to memory of 2396	4816	Isass.exe	86
PID 4816 wrote to memory of 2396	4816	Isass.exe	86
PID 2396 wrote to memory of 1072	2396	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	87
PID 2396 wrote to memory of 1072	2396	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	87
PID 2396 wrote to memory of 1072	2396	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	87
PID 1072 wrote to memory of 2092	1072	Isass.exe	88
PID 1072 wrote to memory of 2092	1072	Isass.exe	88
PID 1072 wrote to memory of 2092	1072	Isass.exe	88
PID 2092 wrote to memory of 2060	2092	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	89
PID 2092 wrote to memory of 2060	2092	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	89
PID 2092 wrote to memory of 2060	2092	bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe	89
PID 2060 wrote to memory of 4432	2060	Isass.exe	90
PID 2060 wrote to memory of 4432	2060	Isass.exe	90
PID 2060 wrote to memory of 4432	2060	Isass.exe	90

C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
673KB

MD5
0f7c18f649ec014a778fde5afdaee76b

SHA1
8145e30fca63f90cb46f5567438f9fb4c22135bd

SHA256
a240d446c49706ca257ca211d299fe4bac25e0490ae40a036147988c481a9775

SHA512
01327b058b2614ca847bcc61c736d47a34ed8383731ecba4925c8c4c5d8dd50c9fafc01d3fc3ca19f5134567807ea2482fa7d8cd9abfd653f913cff05069bf11

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbfa5512ba83852116f5bab28a0941f1_JaffaCakes118.exe

Filesize
408KB

MD5
6aaf2d45c0c65e53c90eb1e9a28d3451

SHA1
3c367542519f0be139d2ea6965eaf20e353f793c

SHA256
eddf1406ddba6dab33066d9f4ee49805f260f8e728529bdb61c21b51cb71fdbe

SHA512
c16d3af1e66194ad941eca298a32e14534e2d476a77442bc545a16b657b21369e5f0b5853b3d4fc9cf0ae343fc65fb306f0d9e93f2d346f518cce07507c1bbd4

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
211KB

MD5
169e0b2c522d42bf1688983762ccf9a3

SHA1
c891e51a6c3b69bcd111afb621ad7443570272a7

SHA256
f160ad54dd909b6324eaddaeb3b5f02ecdc8895aa3aeb7db6bb0bcdd18fcd33b

SHA512
70bba3ed08eb8b642f784770fc21aeb698c889ea4653ec92a2fa50b101ccaaa7f639c66bd535697a703c77b585d6cf04ddf3a41511f7b1334014b0d3d014ac92

Download Submit
memory/1072-15-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1072-17-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1592-3-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1592-6-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download
memory/1592-9-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2060-30-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2092-19-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2396-12-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2396-14-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4816-11-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4816-10-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-44-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-39-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-52-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-38-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-53-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-5-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-43-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-59-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-35-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-34-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-7-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5080-60-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-71-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-72-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-83-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-84-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-93-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads