c95d187058c220ca764ccaacfe5519bc8e52b52f67a49735cb5f9df88473dbe9

General

Target

d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe
Size

165KB
MD5

d4df64204d626ac2b93c95809b6a6812
SHA1

110b0bcb0ee9d19dcef8527ebc79ee1a86a356cd
SHA256

c95d187058c220ca764ccaacfe5519bc8e52b52f67a49735cb5f9df88473dbe9
SHA512

e03a9afbfa3933006cc9c5cff77571550f5d4c0d0c9bd3f7c5fe4472c5817dee5b82aacc86d5907e7d69071a90d82a62c86e31b64b4ef049448f2becdd0de5f1
SSDEEP

3072:W0UIFat2RYIKlYeOvW/FPgxt69odYzMBRjQgnzYYXN6oT1AkZBuBLh:ausWKlWO/FYldYz8jQo6oT1xah

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2668-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2664-8-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2664-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2668-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2004-71-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2004-72-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2668-73-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2668-178-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2664	2668	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2664	2668	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2664	2668	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2664	2668	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2004	2668	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2004	2668	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2004	2668	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2004	2668	d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2F09.0A1

Filesize
1KB

MD5
b0114303c6937542afc3d8f26310cc56

SHA1
771e3158195e9773789f3f240efc1a89410efea9

SHA256
1d29cfc646348bbd31ceca11dd9ffb7a381e14a9e0c80076a89829678fd546e7

SHA512
4acf3953ec1ec600bfbd0c708476a1b6e1001ed66f7f4f62897abf4399412fc0de52b60e7e9c1bf2a931bed80d3ccfc63963d12fe81a090e98fcd57b17323d60

Download Submit
C:\Users\Admin\AppData\Roaming\2F09.0A1

Filesize
600B

MD5
f3efba84e8b8d6ee13ef056d308c4efd

SHA1
09b582e75fc137197abf092a388311584f984ca3

SHA256
5c166267e21ec8b364d52eeb8cccc5e26a14a2446016e8e5461eb66e5ec8fc39

SHA512
07bfc19372e8fdfff853b46b230e8912b0316a26d5df428f7738926d9ade3cfccb9a1b432efe0901575426188623625dbbfac7a0066613e9541d9a027ecf769f

Download Submit
C:\Users\Admin\AppData\Roaming\2F09.0A1

Filesize
996B

MD5
27881061bae17471c268d81f265728ad

SHA1
91fe891bb5c4b7206cef01f35a3ffd6b8e1fb4f1

SHA256
64be00daeb257ddedfdae39a0988c798164e79b5eeddb5eddc1ac0e943c17310

SHA512
900c7d34049756461f15d97b9b993075f5810764fec9b3f8bb6de5f8305eb4dfeeedf7af87f55c599d88873e240bf48192228fd1afb22d04ed364df2df2fd487

Download Submit
memory/2004-71-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2004-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2664-8-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2664-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2668-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2668-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2668-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2668-73-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2668-178-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads