38e25dd302152cc5a45f891eb8273eb1b4aabedeb9b8bb591f566c78477d54bf

General

Target

d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe
Size

157KB
MD5

d2b3975bf6a42472df0bb919944ad8c7
SHA1

24a49073d7a4aeb3faf777d95742b13c26bd68f3
SHA256

38e25dd302152cc5a45f891eb8273eb1b4aabedeb9b8bb591f566c78477d54bf
SHA512

cdbe672459dfe91a12e59dff8dcb84fb152979ac70f25e76fbc7d4eb4d548a6ee6a0f61ecd9ebfc63287ba7dc94fda4e270d594a7820da1e2b8760f836690cf2
SSDEEP

3072:1TWrpuEVk7ErJEgdmMO9tmZFhsuJj2vNxyrBppLyi74Q/D:w9urQ1TIJCZvH8QrBplyw4Q

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1960-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2220-6-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2220-7-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1960-15-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2692-75-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1960-76-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1960-154-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2220	1960	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2220	1960	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2220	1960	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2220	1960	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2692	1960	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe	33
PID 1960 wrote to memory of 2692	1960	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe	33
PID 1960 wrote to memory of 2692	1960	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe	33
PID 1960 wrote to memory of 2692	1960	d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d2b3975bf6a42472df0bb919944ad8c7_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D641.3C2

Filesize
1KB

MD5
c2a8f014d99468d703ac693960fe4730

SHA1
49e6f4336f4ecd9e5042a39ea21b36bc2799fe38

SHA256
5c9db87d015f80ad7ac029650adb6bcd4c9f54789d713ef781547de32618f650

SHA512
616572147bc53d4346b2950877e12b8509df67eaba6adf7f934a7e1fb8d103ad465df14679c71b58cdaaba9509aa14c65fe95503e1bb007c65f8e29ff60df4ba

Download Submit
C:\Users\Admin\AppData\Roaming\D641.3C2

Filesize
1KB

MD5
863480ea604071196927ca90a264889a

SHA1
05a4f409395ece2e5eb17b38d48e24656589e5c5

SHA256
200c0417c22f95d1ad7f7c2cfb33f7afc2c07ccb5f8a32a1d97f3d95858e4adc

SHA512
2719c3e7bf8e93fe64bc54d79eb4709b1d3387125a12fe8ce57aa2eec464b364b961e513fbcf4ed9b94bdc5449abc737365a7e71c4757aff0f5e8998f5b49828

Download Submit
C:\Users\Admin\AppData\Roaming\D641.3C2

Filesize
600B

MD5
0b2641e155cb4ec709455dfec2796ba4

SHA1
ec147e6de8e7336a48ce65ac627c95e0d87c84a7

SHA256
7eae37528fae04ae7b91296ca5a574d5663b001b81184cc7f3678b029a854805

SHA512
cc95c04cc06890acf903b75239a60671890b4a4692617badebd58887559300b78c3bdc5504c5412180f1af3799811b5ee67a4effc06ce3544443941a7a452736

Download Submit
memory/1960-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-76-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2220-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2220-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2220-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-75-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads