31592fe5a522a0c046693c363fbb2f42f3b323319cf0c41bdedeb77c390c4cea

General

Target

cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
Size

176KB
MD5

cfa77e1bcda21bb364dbc5459791925d
SHA1

b27e18f025119da1160d6d0cfe067aa2f85c68e0
SHA256

31592fe5a522a0c046693c363fbb2f42f3b323319cf0c41bdedeb77c390c4cea
SHA512

5a13b2c15212476a944afd4696545c7d9ea6e6e719e2aa20c0a59edf97cf24fdef074dac386a08c4ba0e4b5de7d1c71fc7eab7c876fe3b2a4ef70e0590e426b5
SSDEEP

3072:08pniD17UueS8E1n5yGqwD0qXHU8nsJcRGx/WgIDbT/4dN+qMtP1UCl:0/B4uyE1n5yGbD0qX0vJcRm/WN/4dNYt

Score

7^/10

credential_access discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4588-0-0x0000000001000000-0x0000000001067000-memory.dmp	upx
behavioral2/files/0x000a00000002343a-5.dat	upx
behavioral2/files/0x000100000001899a-17.dat	upx
behavioral2/memory/4588-31-0x0000000001000000-0x0000000001067000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\N:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\R:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\S:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\T:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\V:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\X:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\H:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\K:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\M:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\Q:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\U:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\G:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\I:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\P:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\Z:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\E:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\J:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\L:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\O:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened (read-only)	\??\W:	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Uninstall.vir	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4588	cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfa77e1bcda21bb364dbc5459791925d_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
567KB

MD5
6240c94a100f581d3dae1cf108d52762

SHA1
53b67a598ed03c656c82ce5b0a1d0782b7819fc0

SHA256
64c510e114dc2682e3a0ef9098fba56a36a0e9dab3187eee10fc640162085dbb

SHA512
45d7a99539f7ca0c6ee17455bb8a832e9b80d9ceb442565c6d702c56e245caa8e42240b3083db6669ebcd8c4088afdb8120e62fcbdff0d0b5caf0730c59b59d8

Download Submit
C:\Windows\SysWOW64\msiexec.vir

Filesize
202KB

MD5
893c547ab01ebf26d9a46c4bb6b9355f

SHA1
5ce473849e2e83b2221147220aa93b3542ecfffe

SHA256
507b6dc3476f44b544f3b79989a6af6da14b61ec08b09bfb1a3be70a9bed21d9

SHA512
04d9aadc2545ae46003ca8c8a10db70022bccb35db22e556c193c10a2b9dfcf849d6ca398c912678ebfa237ffd0de484866f8e24f3df2f1136bcb3ab2467d7db

Download Submit
memory/4588-0-0x0000000001000000-0x0000000001067000-memory.dmp

Filesize
412KB

Download
memory/4588-31-0x0000000001000000-0x0000000001067000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing