10ab5580d79fa06cb32d623c891fd0ae6d1e648690788392e08b98ffa3d7906b

General

Target

d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe
Size

158KB
MD5

d5a4b0263a511326fb1faf4f5ac1a17f
SHA1

1f5807acb52588f7807d673177c97f35b93accc9
SHA256

10ab5580d79fa06cb32d623c891fd0ae6d1e648690788392e08b98ffa3d7906b
SHA512

e8b623109714a1190eb580ed581653f723591abc51f4b3370fc09e9216557c51ed888012780d0276094a719555a335784b6f47ba1febb0347904a0387849fc2e
SSDEEP

3072:6F3gsMRrcx5t6iiOdPc1q/E/k16YNBnFP4Xe3DK6LyGtDtCYkL:2gTRrcztKik1ME/A6WXQ4DKACYkL

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2332-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1876-6-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1876-8-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2332-16-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2332-81-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/476-83-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/476-85-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2332-199-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1876	2332	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe	31
PID 2332 wrote to memory of 1876	2332	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe	31
PID 2332 wrote to memory of 1876	2332	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe	31
PID 2332 wrote to memory of 1876	2332	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe	31
PID 2332 wrote to memory of 476	2332	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe	33
PID 2332 wrote to memory of 476	2332	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe	33
PID 2332 wrote to memory of 476	2332	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe	33
PID 2332 wrote to memory of 476	2332	d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5a4b0263a511326fb1faf4f5ac1a17f_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1F4C.851

Filesize
1KB

MD5
c8b8835481db3cce2bf9ee6ae8b6fe23

SHA1
336a4ab032ff68f1f1d4662e8244427b8ae07a23

SHA256
4b277da0b0e4b78645d4565dd802742ded3789f62de88fc514b63abd8e05beef

SHA512
f1b8ddf532632458463dda5c2c5469258406ddce39d496c727fd74ae36340d17d0ca629bf8da71ff3d1a44f4cc1a01dce01c58d6525a62bffaf631f7f3edfbe3

Download Submit
C:\Users\Admin\AppData\Roaming\1F4C.851

Filesize
600B

MD5
955aebccdff4348a0934b69dd78d6ce0

SHA1
7f87315ea017542f222b643bff98bd2eee293929

SHA256
2c7f0230f0157ec0986262448f2ca4fabf1b8638bd801ad3a56dc5ab35941ce8

SHA512
1959aea3c02dce3f04e9d855ed325091b0b3e988c711f3488f14c1151bcdbf9c9a1998aa9bfd21abc5d426d263b0d21d4ad4889229e892fb786d7170657d8792

Download Submit
C:\Users\Admin\AppData\Roaming\1F4C.851

Filesize
996B

MD5
30bb783bf0644111767ddd0573b5464d

SHA1
46c358f9cd88667073032a3c06c5d5bb3722b2b8

SHA256
a9e5f151bb483d9395d02389377237f4cabf9199cb204a6b3c4ba89e6f123179

SHA512
4dcb0d8616ac924f7c5d64f7d84f935700bd7747d18cdddf937934fa34848e864f5790947394ab214c7f6f616a80af8ff482df2c2b27fcaf8c9409b1f127775e

Download Submit
memory/476-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/476-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1876-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1876-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1876-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2332-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2332-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2332-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2332-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2332-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads