masslogger | b8eccd094b6d3295838e91b54c25c81c86dcd0786543524f6c9e5c5108484c03

General

Target

c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
Size

1.1MB
MD5

c681559b99ec45b7deb597342f829ad1
SHA1

f9c264ea9987b2377293ebad0722b6389ffe4c99
SHA256

b8eccd094b6d3295838e91b54c25c81c86dcd0786543524f6c9e5c5108484c03
SHA512

804ff57a342d67c5126ea8b54c03afb031d7b51e814e633657e8e91ffdb3c09b2d0271b6649471c10dbdb0388d6f9816cdc3f649b9151916bf7c7fb3e74c388b
SSDEEP

24576:vyB2j24zrtOTFKKpDQGXsqMGUEiVJElns1fFOXUTlmJ17G6+:zFrtOTFpyqMtlf1fQUTl

Score

10^/10

masslogger defense_evasion discovery spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 5 IoCs

resource	yara_rule
behavioral1/memory/2792-14-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/2792-15-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/2792-21-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/2792-23-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/2792-18-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Deletes itself 1 IoCs

pid	Process
2960	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 2792	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
2792	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
2792	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
2960	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
Token: SeDebugPrivilege	2792	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
Token: SeDebugPrivilege	2960	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2816	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2816	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2816	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2816	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	31
PID 2568 wrote to memory of 3064	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	33
PID 2568 wrote to memory of 3064	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	33
PID 2568 wrote to memory of 3064	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	33
PID 2568 wrote to memory of 3064	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2336	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	34
PID 2568 wrote to memory of 2336	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	34
PID 2568 wrote to memory of 2336	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	34
PID 2568 wrote to memory of 2336	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	34
PID 2568 wrote to memory of 2792	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	35
PID 2568 wrote to memory of 2792	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	35
PID 2568 wrote to memory of 2792	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	35
PID 2568 wrote to memory of 2792	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	35
PID 2568 wrote to memory of 2792	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	35
PID 2568 wrote to memory of 2792	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	35
PID 2568 wrote to memory of 2792	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	35
PID 2568 wrote to memory of 2792	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	35
PID 2568 wrote to memory of 2792	2568	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	35
PID 2792 wrote to memory of 2960	2792	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	37
PID 2792 wrote to memory of 2960	2792	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	37
PID 2792 wrote to memory of 2960	2792	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	37
PID 2792 wrote to memory of 2960	2792	c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TsWHapCjEjbp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A2A.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe
  "{path}"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\c681559b99ec45b7deb597342f829ad1_JaffaCakes118.exe'
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4A2A.tmp

Filesize
1KB

MD5
a0bc8c455a849bd4b39a87bfa8d99a41

SHA1
5779ca34980aca1083c0709b4ab1a26eef817e29

SHA256
5ccdbbcaadc63f28fe9b68e2f16db381f5ea3ecae88dcb445902d53bddb92c7c

SHA512
18e38fa9a9e00391ac8bc2a16c7817ea6de1853b99935121040be6b5e5d1033a3a7c549ed1ab7aee93e30398ca02e72ee3929f1f82457520fbdb4903d8ff3d02

Download Submit
memory/2568-24-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-3-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/2568-0-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/2568-4-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-5-0x00000000057D0000-0x00000000058A0000-memory.dmp

Filesize
832KB

Download
memory/2568-6-0x0000000007C60000-0x0000000007D34000-memory.dmp

Filesize
848KB

Download
memory/2568-1-0x0000000000A50000-0x0000000000B6A000-memory.dmp

Filesize
1.1MB

Download
memory/2568-2-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2792-27-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-14-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2792-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2792-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2792-26-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-25-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2792-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2792-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2792-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads