452a6e16a37204736385385bd0c52c565b822eced2dd93dd9f6dbf255db8516d

General

Target

bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe
Size

166KB
MD5

bfd7b77fb2a6e209d158ecbf0ba536cf
SHA1

b43d76c63cd9a783ed0802a9a217012af39d2256
SHA256

452a6e16a37204736385385bd0c52c565b822eced2dd93dd9f6dbf255db8516d
SHA512

5429af6ac06c174b0913809ac372291a2a1c8e47d1a546ca485af5a857392a8f76c9a57657d3d50ab61d8ce138bae87bf4f1e021d00f4b3af6f21729117bfe14
SSDEEP

3072:fsPY+jIAgv7AYdLvb0jbVfkwc7JE99EYGLwCihPRK:/3LDdvb/wc7U9LGLSPR

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2292-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2720-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2720-11-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2720-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2292-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2448-70-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2292-71-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2292-138-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2720	2292	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2720	2292	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2720	2292	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2720	2292	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2448	2292	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2448	2292	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2448	2292	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2448	2292	bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\bfd7b77fb2a6e209d158ecbf0ba536cf_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\36FC.47D

Filesize
1KB

MD5
30da40a98afaf74dd888ed9254aebc85

SHA1
62af3467555346f62ecd52ec2925bb61d8aa4669

SHA256
85a3c94a526dfbc47d64cd8b7f6a770448990bf0db16c7d4654d2784c9503f72

SHA512
768a851c23d428861e7c22238816e7116d43d8604ceef968760af2821cadd513cafdb18bc42eaf36ee2ea45f9950eb04a7de49a1f5931e052d1d77c739007e77

Download Submit
C:\Users\Admin\AppData\Roaming\36FC.47D

Filesize
1KB

MD5
e7e0e16241ae1b763d99a44e5b62b7a6

SHA1
e73ef6846baa4faa90484bf42430189765c642c0

SHA256
700e18d88862e3d670a0436dac0ce0aaf8aab124e7cb11ea1164563f0b444097

SHA512
86bb9ee06815a89a26d5e3ad509615916df9655e3489023027b1ecf7c87ab747c876a835b04397d1bf45d02acd054550b51ef121a8eaf962a177f1388d624440

Download Submit
C:\Users\Admin\AppData\Roaming\36FC.47D

Filesize
600B

MD5
3219e6ce1a856f7811a79a3a711bda3a

SHA1
a3240a467f46fb35b350a53145b8fdcd590ddd84

SHA256
87791a613cfb004835c7a16f707d861b610830e5aba70544ab8071698b144129

SHA512
1ec853da006d6038deacdc579a0c92608422eca97ab1d81a9436f94c267200fa47aa47e834d9bd539fa0bbafa97acf696b8e7137ab5722d59dfaecf4f400301f

Download Submit
C:\Users\Admin\AppData\Roaming\36FC.47D

Filesize
996B

MD5
27251d1a40db6c3a45526a346fd517fa

SHA1
59fdaabf7abd6ca15e9c7562a24d0e3dbec5991f

SHA256
e9381b3c13ac518b7090373378b3f5fb6e44dbbe1db149b1a8b6f65f8ab4ae97

SHA512
94e73f001e125ce92ee2224eb4264753439909392b9e6ec7f13ad697baef9bb0124b680c8d4fd748ba014196545fbfebb34a65f57bbe3e19ac28862de86bc988

Download Submit
memory/2292-71-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2292-138-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2292-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2292-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2448-69-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2448-70-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2720-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2720-11-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2720-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads