e6fffaa62c9104dea538908099a00122da7151b0d614d6f88270df3e091988fb

General

Target

d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Size

152KB
MD5

d6e5818176c47b965f8287f7c8239d19
SHA1

c8d6a923c2efae5c7dad3026f2ce7b3f12950d3e
SHA256

e6fffaa62c9104dea538908099a00122da7151b0d614d6f88270df3e091988fb
SHA512

c0d79254254638902674e7f6bbf38e120f86fed99fb031e75bd65ec6a004ec98f3bf76749317b33017a9427f96f38cb45cc52c5554cbfca97f0f303460090fc4
SSDEEP

1536:RG3uieHXmXYiptXxmnQu8M7trSLgd7mRQG5B1pwlizWzbt5:guie3gvpBMnp57teLgd7mv5npwt5

Score

10^/10

credential_access persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
legendkiller

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ar9u899e-et6W-748g-6yfV-vC85m8lZ1mr0}	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ar9u899e-et6W-748g-6yfV-vC85m8lZ1mr0}\stubpath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Firewall\\WIN32.exe"	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ar9u899e-et6W-748g-6yfV-vC85m8lZ1mr0}\ComponentID = "User Account Control"	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ar9u899e-et6W-748g-6yfV-vC85m8lZ1mr0}\ = "Microsoft Windows"	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers = "C:\\Temp\\Install\\svchost.exe"	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers = "C:\\Temp\\Install\\svchost.exe"	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers = "C:\\Temp\\Install\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers = "C:\\Temp\\Install\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2656	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
2656	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2160	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2656	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
2160	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2160	2656	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe	89
PID 2656 wrote to memory of 2160	2656	d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6e5818176c47b965f8287f7c8239d19_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Temp\Install\svchost.exe
  "C:\Temp\Install\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\Install\svchost.exe

Filesize
152KB

MD5
d6e5818176c47b965f8287f7c8239d19

SHA1
c8d6a923c2efae5c7dad3026f2ce7b3f12950d3e

SHA256
e6fffaa62c9104dea538908099a00122da7151b0d614d6f88270df3e091988fb

SHA512
c0d79254254638902674e7f6bbf38e120f86fed99fb031e75bd65ec6a004ec98f3bf76749317b33017a9427f96f38cb45cc52c5554cbfca97f0f303460090fc4

Download Submit
memory/2160-32-0x00007FFB876F0000-0x00007FFB88091000-memory.dmp

Filesize
9.6MB

Download
memory/2160-31-0x00007FFB876F0000-0x00007FFB88091000-memory.dmp

Filesize
9.6MB

Download
memory/2160-29-0x00007FFB876F0000-0x00007FFB88091000-memory.dmp

Filesize
9.6MB

Download
memory/2656-6-0x0000000001880000-0x0000000001888000-memory.dmp

Filesize
32KB

Download
memory/2656-5-0x00007FFB876F0000-0x00007FFB88091000-memory.dmp

Filesize
9.6MB

Download
memory/2656-0-0x00007FFB879A5000-0x00007FFB879A6000-memory.dmp

Filesize
4KB

Download
memory/2656-4-0x000000001C9A0000-0x000000001CA3C000-memory.dmp

Filesize
624KB

Download
memory/2656-13-0x00007FFB876F0000-0x00007FFB88091000-memory.dmp

Filesize
9.6MB

Download
memory/2656-15-0x00007FFB879A5000-0x00007FFB879A6000-memory.dmp

Filesize
4KB

Download
memory/2656-16-0x00007FFB876F0000-0x00007FFB88091000-memory.dmp

Filesize
9.6MB

Download
memory/2656-3-0x000000001C4D0000-0x000000001C99E000-memory.dmp

Filesize
4.8MB

Download
memory/2656-30-0x00007FFB876F0000-0x00007FFB88091000-memory.dmp

Filesize
9.6MB

Download
memory/2656-2-0x00007FFB876F0000-0x00007FFB88091000-memory.dmp

Filesize
9.6MB

Download
memory/2656-1-0x000000001BF50000-0x000000001BFF6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads