661af9b8d1ad3ab487f66239695a23444bc0099f8fdc32ce933c2822c784eb9c

General

Target

d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe
Size

169KB
MD5

d02934288a0347468c3855ab277aeff8
SHA1

cc0f6b284104abd062d09c800fe9a9981a8be8a9
SHA256

661af9b8d1ad3ab487f66239695a23444bc0099f8fdc32ce933c2822c784eb9c
SHA512

300a383df8286dcb93f51d5b1638b9b41c03a57a622a3ddf5574d0c14989be9854c69c85cec0673dab27915910f07dc3e9fdeb883a2f187ae50bfa29dcf3b590
SSDEEP

3072:+0IPbWK3fZV4PnHeaMYEN5UtBIOdvbckMhandG5fzOarqZkyjlPWzeGD+0qSKX0:+0ITWK3ByPnzgUtZ1PO5bvrMjlceGD+G

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\F2EC1\\DF004.exe"	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2700-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1916-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2700-15-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2700-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2116-87-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2116-86-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2700-88-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2700-158-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2700-188-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1916	2700	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe	30
PID 2700 wrote to memory of 1916	2700	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe	30
PID 2700 wrote to memory of 1916	2700	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe	30
PID 2700 wrote to memory of 1916	2700	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2116	2700	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2116	2700	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2116	2700	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2116	2700	d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe startC:\Program Files (x86)\LP\04BF\4CE.exe%C:\Program Files (x86)\LP\04BF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1916
- C:\Users\Admin\AppData\Local\Temp\d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d02934288a0347468c3855ab277aeff8_JaffaCakes118.exe startC:\Program Files (x86)\C168D\lvvm.exe%C:\Program Files (x86)\C168D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F2EC1\168D.2EC

Filesize
1KB

MD5
16d62448c31a75bc54b50f9abf5d45a6

SHA1
fd5ab011a76859ccb92b73f7077b099343ead7b2

SHA256
508f97be6e37c0dbc9cbd6437f4a070bd380491e70bbb1d6a2dc031d1f501d1c

SHA512
b955343c745b044f25a39f59d8de7806f0fdc27382615e4e0a33e8bf43042af68b2c6c821cc847d1f8917d525c5f34a6ad497b406e1b79984dc69ab0c8d2b9b4

Download Submit
C:\Users\Admin\AppData\Roaming\F2EC1\168D.2EC

Filesize
600B

MD5
5dcfa25558c4426e2aade528f50bef87

SHA1
12143e02abc6208cd1a1e7dcd154232a9a71a49c

SHA256
f085ac7402e5f82bccd08b38557a6228ecc67aadd7fc20a346e86fd634910be6

SHA512
ac334d1561778f8ef7ecabcf6a010ef97efe09699a707335fc92279aa878c8d024838c42809175f5cd36244ea8fc676f1c9b2805e956c206baaa4a1434c2432b

Download Submit
C:\Users\Admin\AppData\Roaming\F2EC1\168D.2EC

Filesize
996B

MD5
55c09b2c74f947552b652274c34c8fff

SHA1
ad393c4c5293a4d9c66d6d3e7ef23a5a5726b02f

SHA256
1e572de487efd3c272654f7991d29a3fa856b5fe9ef6ccfd81fac6ab7ee57f46

SHA512
7640978ce2ba3d315c3c2e71520675b4dde1f54d2ed932ceef7e52cd3418bf51d7251d367b9b3b865676000b2f7e13f4e154fe7984be52224c12b6734f4ca809

Download Submit
memory/1916-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1916-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2116-85-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2116-87-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2116-86-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2700-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2700-88-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-158-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-188-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads