d62b217aaeb2031746dab59a853839ba8efbb307dcf5800e0b2a53bb4b91d179

General

Target

d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe
Size

157KB
MD5

d347ed21b17e96a5de6f2b523c58e65f
SHA1

8ea2c6db99703d12a35dbf006e8267e80f64283a
SHA256

d62b217aaeb2031746dab59a853839ba8efbb307dcf5800e0b2a53bb4b91d179
SHA512

66724d3855875f1452988943b0e798a6fd55fbff001ff768501efe35449cf9c001b4dbc6ccffc5abf50c2f1321f59f013b598c344d8e042ff447aeaadee555bd
SSDEEP

3072:YT3pidu3egrYwCimEkoeQ03EVqvpKG4dLqI+23pozxL6J6R:YTsYKwZmMXBYvp28I+23Cz0g

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2880-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2720-5-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2880-13-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2224-78-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2880-146-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2880-188-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2720	2880	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2720	2880	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2720	2880	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2720	2880	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2224	2880	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe	32
PID 2880 wrote to memory of 2224	2880	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe	32
PID 2880 wrote to memory of 2224	2880	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe	32
PID 2880 wrote to memory of 2224	2880	d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d347ed21b17e96a5de6f2b523c58e65f_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9E53.6BC

Filesize
1KB

MD5
0e985c2238448880bc7d0d35162f9ae8

SHA1
d1a2cd2b8f890725476c7961f1f69124a5972d52

SHA256
d84c591d39ff82022f263d22f59bc84f3a49428a24def3674cd6ece5648d83e8

SHA512
4fdb70c24d88e9191e49b3036c858ce97b8d8f4d72ddc1616a35db372c6191170d16a255613891dc380e511a6fb83ad3780262aed6e0fc38b94abba475fff3ae

Download Submit
C:\Users\Admin\AppData\Roaming\9E53.6BC

Filesize
600B

MD5
93c1552ee48fd1f1e253995c82ae396e

SHA1
6ab82ec79f437d676b5da01c048798b46d4f1ad1

SHA256
774d6bd6ee7a8aeed4a92110fbc4bbfb0002ab5e10b30f210ce3cd58c76f4d10

SHA512
a7b5a86f77c108c557f2cd3cd3eb9b4f617ab8932cf986c42572b58cbbed760826cfae43ff8c5d2399c6cb3d2aea0ab89e5859dec67459fdf82d9c4f6b2c0428

Download Submit
C:\Users\Admin\AppData\Roaming\9E53.6BC

Filesize
996B

MD5
af50498f43acb504b5c5534ae49f7397

SHA1
48a1b2a62e8a92197f2f358b178ab8432cc30c77

SHA256
ef58e1db5b289ce9638d2c243e102e9454c7cf6da9b52f98c998c3d6ee02a19e

SHA512
248c9de55dfee2ee79987b8b92afb4d2c18fdf1891a13cfe4a406fe09f95ece072ae2cc9b1bbdbeb093135b97382438e2521d19eb196ea59a0e7359ecff34408

Download Submit
memory/2224-78-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads