744e16486aa2f465f3ddf84467411f7c38df8b14738ac0d0683fa313a1ad7c36

General

Target

d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe
Size

351KB
MD5

d61c61e8237413ed3aca5aba18b64969
SHA1

3fb3b97b945b05ad2f50005189d165564cf8a3f5
SHA256

744e16486aa2f465f3ddf84467411f7c38df8b14738ac0d0683fa313a1ad7c36
SHA512

6000aded115ba6982049c41c3153261eff0874f7dc3e4321db36f7a077859d7bf43a375b23e8dd351a8c455f03e388a495d01bdc9afa9fc125dc2732063178c2
SSDEEP

6144:Cf27lmIyC0SSDODW8+DhoH+SI0Hj8kBSrH89QCwXJpUWViPJ4I082dx:mGlRRlSJloesj8k0rH89r6sWMP2h8ux

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000400000001e342-7.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2884	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3876-0-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/files/0x000400000001e342-7.dat	upx
behavioral2/memory/2884-9-0x0000000010000000-0x0000000010086000-memory.dmp	upx
behavioral2/memory/3876-10-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2884-14-0x0000000010000000-0x0000000010086000-memory.dmp	upx
behavioral2/memory/2884-26-0x0000000010000000-0x0000000010086000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msijfm32.dll,UvsQtZjmOzBh"	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msijfm32.dll	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msijfm32.dll	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
112	3876	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3876	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe
3876	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe
3876	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe
3876	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe
3876	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe
3876	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe
3876	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe
3876	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 2884	3876	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe	87
PID 3876 wrote to memory of 2884	3876	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe	87
PID 3876 wrote to memory of 2884	3876	d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d61c61e8237413ed3aca5aba18b64969_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe msijfm32.dll,UvsQtZjmOzBh
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 664
  2⤵
  - Program crash
  PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3876 -ip 3876
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msijfm32.dll

Filesize
172KB

MD5
bf881352dcba25e33757b6412d55b37c

SHA1
12a5c281d8640b062d4fe1c4a9f9865de50deada

SHA256
7ef4680c3a252b11ffff756967f1bd5ab3234be4c435b1cafb73037b7062f510

SHA512
8bc76f1350f3cfb929a7fcb6804f05291e65d35e2b3f612b6a823cf2d2ee8fd797f49298aa83e10d6e13b5d7f7fed75e22fe62b580257f0ecb6c5944e2d72af3

Download Submit
memory/2884-26-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/2884-14-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/2884-9-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/3876-4-0x00000000028E0000-0x0000000002966000-memory.dmp

Filesize
536KB

Download
memory/3876-6-0x00000000028E0000-0x0000000002966000-memory.dmp

Filesize
536KB

Download
memory/3876-2-0x00000000028E0000-0x0000000002966000-memory.dmp

Filesize
536KB

Download
memory/3876-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3876-10-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3876-11-0x0000000002190000-0x00000000021EA000-memory.dmp

Filesize
360KB

Download
memory/3876-12-0x00000000028E0000-0x0000000002966000-memory.dmp

Filesize
536KB

Download
memory/3876-3-0x00000000028E0000-0x0000000002966000-memory.dmp

Filesize
536KB

Download
memory/3876-1-0x0000000002190000-0x00000000021EA000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads