e6fffaa62c9104dea538908099a00122da7151b0d614d6f88270df3e091988fb

General

Target

d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Size

152KB
MD5

d6e5818176c47b965f8287f7c8239d19
SHA1

c8d6a923c2efae5c7dad3026f2ce7b3f12950d3e
SHA256

e6fffaa62c9104dea538908099a00122da7151b0d614d6f88270df3e091988fb
SHA512

c0d79254254638902674e7f6bbf38e120f86fed99fb031e75bd65ec6a004ec98f3bf76749317b33017a9427f96f38cb45cc52c5554cbfca97f0f303460090fc4
SSDEEP

1536:RG3uieHXmXYiptXxmnQu8M7trSLgd7mRQG5B1pwlizWzbt5:guie3gvpBMnp57teLgd7mv5npwt5

Score

9^/10

credential_access persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ar9u899e-et6W-748g-6yfV-vC85m8lZ1mr0}\ComponentID = "User Account Control"	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ar9u899e-et6W-748g-6yfV-vC85m8lZ1mr0}\ = "Microsoft Windows"	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ar9u899e-et6W-748g-6yfV-vC85m8lZ1mr0}	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ar9u899e-et6W-748g-6yfV-vC85m8lZ1mr0}\stubpath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Firewall\\WIN32.exe"	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2948	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers = "C:\\Temp\\Install\\svchost.exe"	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers = "C:\\Temp\\Install\\svchost.exe"	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers = "C:\\Temp\\Install\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers = "C:\\Temp\\Install\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2748	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
2748	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2948	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2748	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
2948	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2948	2748	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2948	2748	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2948	2748	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Temp\Install\svchost.exe
  "C:\Temp\Install\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\Install\svchost.exe

Filesize
152KB

MD5
d6e5818176c47b965f8287f7c8239d19

SHA1
c8d6a923c2efae5c7dad3026f2ce7b3f12950d3e

SHA256
e6fffaa62c9104dea538908099a00122da7151b0d614d6f88270df3e091988fb

SHA512
c0d79254254638902674e7f6bbf38e120f86fed99fb031e75bd65ec6a004ec98f3bf76749317b33017a9427f96f38cb45cc52c5554cbfca97f0f303460090fc4

Download Submit
memory/2748-0-0x000007FEF5DFE000-0x000007FEF5DFF000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-2-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-10-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-18-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2948-20-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2948-19-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2948-21-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads