437b6da49c8eeb230154d85eb5245dbdfbc32e4261c9937c55aa7c89b3e6692f

General

Target

bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
Size

499KB
MD5

bdb245992acd5b1f150c857380da3008
SHA1

9085bc32780536d7794b5d5639516da1be743456
SHA256

437b6da49c8eeb230154d85eb5245dbdfbc32e4261c9937c55aa7c89b3e6692f
SHA512

ae6e940003088a42575a28cf97fe49cd7f05be8e3f97eff54977c75700bdd8fb6e9ae3a8856833795333152965ffa2a5d088be2ba6048cefc539b81682af0dac
SSDEEP

6144:b0+nkbu3mjQDF6/M93xn3N93gLyLRTG1Bvd9EqSZo:Kcw/Sx33gLyLRKBsqSC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2388	buftemp1.exe
2044	buftemp2.exe
2772	buftemp3.exe
2704	buftemp2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 2704	2044	buftemp2.exe	33

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\buftemp1.exe	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
File opened for modification	C:\Windows\buftemp2.exe	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
File opened for modification	C:\Windows\buftemp3.exe	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
File opened for modification	C:\Windows\buftemp4.exe	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
File opened for modification	C:\Windows\buftemp2.exe	buftemp2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	2704	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buftemp1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buftemp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buftemp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buftemp3.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	buftemp1.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
2044	buftemp2.exe
2388	buftemp1.exe
2388	buftemp1.exe
2388	buftemp1.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2388	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2388	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2388	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2388	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2044	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2044	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2044	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2044	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2772	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	32
PID 1956 wrote to memory of 2772	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	32
PID 1956 wrote to memory of 2772	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	32
PID 1956 wrote to memory of 2772	1956	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	32
PID 2044 wrote to memory of 2704	2044	buftemp2.exe	33
PID 2044 wrote to memory of 2704	2044	buftemp2.exe	33
PID 2044 wrote to memory of 2704	2044	buftemp2.exe	33
PID 2044 wrote to memory of 2704	2044	buftemp2.exe	33
PID 2044 wrote to memory of 2704	2044	buftemp2.exe	33
PID 2044 wrote to memory of 2704	2044	buftemp2.exe	33
PID 2044 wrote to memory of 2704	2044	buftemp2.exe	33
PID 2044 wrote to memory of 2704	2044	buftemp2.exe	33
PID 2704 wrote to memory of 2752	2704	buftemp2.exe	34
PID 2704 wrote to memory of 2752	2704	buftemp2.exe	34
PID 2704 wrote to memory of 2752	2704	buftemp2.exe	34
PID 2704 wrote to memory of 2752	2704	buftemp2.exe	34

C:\Users\Admin\AppData\Local\Temp\bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\buftemp1.exe
  "C:\Windows\buftemp1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2388
- C:\Windows\buftemp2.exe
  "C:\Windows\buftemp2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\buftemp2.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 36
      4⤵
      Program crash
      PID:2752
- C:\Windows\buftemp3.exe
  "C:\Windows\buftemp3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\buftemp1.exe

Filesize
92KB

MD5
1a42d22baf466b54d3d783ae503195f2

SHA1
0da4e75af57854f23f8eee6bb63b32cc0cc602c3

SHA256
6f249cb9d135fbcae7897792bac469bd33da5b8dabc13bdfd7d36335a9ccb98b

SHA512
045b4fa7edb395548e0ef6a38cdc55436d0b085b973666986a0d32ae153cdbf10010c2e98a4bff36e687144969a4adcd70bcb34565523efa6c9d3f8628e287bb

Download Submit
C:\Windows\buftemp2.exe

Filesize
76KB

MD5
4309fda62c93ba7636c99bfee0822e77

SHA1
ecc4646cd14bd502530c66394d62d64a0ee9fec2

SHA256
93c91a433dada96852f9cd722b34daa876d7f9ae4d8c1b1a78a9cdfe4dd7b16d

SHA512
a8e46b20765246d4dbebfeff5a5d54ecd25c2a4275d98ca6c642bec880884a347dff1fb1a338d484364abe69f7dd9b0aacc6d0185ff7e0e15ac262d455516cc9

Download Submit
C:\Windows\buftemp3.exe

Filesize
18KB

MD5
dbef96f4c5976d12d6cb055e264c0c18

SHA1
66add26e5e4a38fb5a6c2b1eade873389218736c

SHA256
c287b162d4d9082f34afd9cb0bbb3a3e528612f1f0a0836dccaf73ac87be1664

SHA512
7f04d26ce592f9ab13487404368df0006657a3d30d727b4b6cab48d18e32055391254025562504e1eed8ad8796ddc535a0bf2b53f868c1544407724f467f8405

Download Submit
memory/2388-41-0x0000000003070000-0x0000000003B2A000-memory.dmp

Filesize
10.7MB

Download
memory/2704-40-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2704-38-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2704-36-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2704-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-32-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2704-30-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2704-28-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2704-47-0x0000000000400000-0x0000000000402400-memory.dmp

Filesize
9KB

Download

Analysis

Sharing