437b6da49c8eeb230154d85eb5245dbdfbc32e4261c9937c55aa7c89b3e6692f

General

Target

bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
Size

499KB
MD5

bdb245992acd5b1f150c857380da3008
SHA1

9085bc32780536d7794b5d5639516da1be743456
SHA256

437b6da49c8eeb230154d85eb5245dbdfbc32e4261c9937c55aa7c89b3e6692f
SHA512

ae6e940003088a42575a28cf97fe49cd7f05be8e3f97eff54977c75700bdd8fb6e9ae3a8856833795333152965ffa2a5d088be2ba6048cefc539b81682af0dac
SSDEEP

6144:b0+nkbu3mjQDF6/M93xn3N93gLyLRTG1Bvd9EqSZo:Kcw/Sx33gLyLRKBsqSC

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
956	buftemp1.exe
3872	buftemp2.exe
3676	buftemp3.exe
220	buftemp2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3872 set thread context of 220	3872	buftemp2.exe	88

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\buftemp1.exe	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
File opened for modification	C:\Windows\buftemp2.exe	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
File opened for modification	C:\Windows\buftemp3.exe	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
File opened for modification	C:\Windows\buftemp4.exe	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
File opened for modification	C:\Windows\buftemp2.exe	buftemp2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4588	220	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buftemp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buftemp3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buftemp1.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2276	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
956	buftemp1.exe
3872	buftemp2.exe
956	buftemp1.exe
956	buftemp1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 956	2276	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	84
PID 2276 wrote to memory of 956	2276	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	84
PID 2276 wrote to memory of 956	2276	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	84
PID 2276 wrote to memory of 3872	2276	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	85
PID 2276 wrote to memory of 3872	2276	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	85
PID 2276 wrote to memory of 3872	2276	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	85
PID 2276 wrote to memory of 3676	2276	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	87
PID 2276 wrote to memory of 3676	2276	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	87
PID 2276 wrote to memory of 3676	2276	bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe	87
PID 3872 wrote to memory of 220	3872	buftemp2.exe	88
PID 3872 wrote to memory of 220	3872	buftemp2.exe	88
PID 3872 wrote to memory of 220	3872	buftemp2.exe	88
PID 3872 wrote to memory of 220	3872	buftemp2.exe	88
PID 3872 wrote to memory of 220	3872	buftemp2.exe	88
PID 3872 wrote to memory of 220	3872	buftemp2.exe	88
PID 3872 wrote to memory of 220	3872	buftemp2.exe	88

C:\Users\Admin\AppData\Local\Temp\bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdb245992acd5b1f150c857380da3008_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\buftemp1.exe
  "C:\Windows\buftemp1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:956
- C:\Windows\buftemp2.exe
  "C:\Windows\buftemp2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\buftemp2.exe
    3⤵
    - Executes dropped EXE
    PID:220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 464
      4⤵
      Program crash
      PID:4588
- C:\Windows\buftemp3.exe
  "C:\Windows\buftemp3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 220 -ip 220
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\buftemp1.exe

Filesize
92KB

MD5
1a42d22baf466b54d3d783ae503195f2

SHA1
0da4e75af57854f23f8eee6bb63b32cc0cc602c3

SHA256
6f249cb9d135fbcae7897792bac469bd33da5b8dabc13bdfd7d36335a9ccb98b

SHA512
045b4fa7edb395548e0ef6a38cdc55436d0b085b973666986a0d32ae153cdbf10010c2e98a4bff36e687144969a4adcd70bcb34565523efa6c9d3f8628e287bb

Download Submit
C:\Windows\buftemp2.exe

Filesize
76KB

MD5
4309fda62c93ba7636c99bfee0822e77

SHA1
ecc4646cd14bd502530c66394d62d64a0ee9fec2

SHA256
93c91a433dada96852f9cd722b34daa876d7f9ae4d8c1b1a78a9cdfe4dd7b16d

SHA512
a8e46b20765246d4dbebfeff5a5d54ecd25c2a4275d98ca6c642bec880884a347dff1fb1a338d484364abe69f7dd9b0aacc6d0185ff7e0e15ac262d455516cc9

Download Submit
C:\Windows\buftemp3.exe

Filesize
18KB

MD5
dbef96f4c5976d12d6cb055e264c0c18

SHA1
66add26e5e4a38fb5a6c2b1eade873389218736c

SHA256
c287b162d4d9082f34afd9cb0bbb3a3e528612f1f0a0836dccaf73ac87be1664

SHA512
7f04d26ce592f9ab13487404368df0006657a3d30d727b4b6cab48d18e32055391254025562504e1eed8ad8796ddc535a0bf2b53f868c1544407724f467f8405

Download Submit
memory/220-36-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/220-39-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/220-45-0x0000000000400000-0x0000000000402400-memory.dmp

Filesize
9KB

Download

Analysis

Sharing