96e9f5cb19fb2a1ad3e51178bcc8b073aa1ec3fdd75ca8a33f2b6c7e323f95b1

General

Target

db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe
Size

167KB
MD5

db37519d8b807fec9fdbc4dfee6db337
SHA1

c39ab34f4b17d207a23d5b241209d92f93ff8782
SHA256

96e9f5cb19fb2a1ad3e51178bcc8b073aa1ec3fdd75ca8a33f2b6c7e323f95b1
SHA512

3f2aa56e3b88ea52a92d3400efd5d11cce6c6abf3768f7ac7e9d5f354b700c6018ea05cecee39516bc3335b7ddab8e9ed5a8e0f7aa76899cd6f5e190265e8e62
SSDEEP

3072:0o/c4EeGvvo1erMZssloz5or9SHVOki70VzanLdsaZN:rEJvQtQ5orOZc0VzanLu

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-12-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2396-13-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1952-14-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1952-77-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2652-79-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1952-190-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2396	1952	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2396	1952	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2396	1952	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2396	1952	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2652	1952	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe	32
PID 1952 wrote to memory of 2652	1952	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe	32
PID 1952 wrote to memory of 2652	1952	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe	32
PID 1952 wrote to memory of 2652	1952	db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\db37519d8b807fec9fdbc4dfee6db337_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5CA8.503

Filesize
600B

MD5
853a2143ac107700b6a2fe2d058b8435

SHA1
0d9f02fe9bf9f363d88cc3416eb0d84250166d04

SHA256
6152ebbf530599422954f05c224da76030e5a6ba38f80561863b66d4a43d0eaa

SHA512
2767e3881f9cfeb305e2c0dfa2113deb49fc3041ce3bf719fa1162e3a9466110919149d05dde91bbfcb503814374ff144838e41f4f202d32e59859827e09fe2b

Download Submit
C:\Users\Admin\AppData\Roaming\5CA8.503

Filesize
1KB

MD5
6b4bc1685b3bd6a951642b9e0be259a1

SHA1
835e607ba49375a7c65ad621656ed96a665a565f

SHA256
4bd69ed1993544a83205a6816df504eab5133e923e693aa299e1d5275cb999ba

SHA512
c2747806a339ab864c13ed4551e35827e754810478e5f9a5d75900ef404c40a7136f36152493db9cd627c5def4594bb8cbf124b75ce31d10c3e698ae6d50f1c2

Download Submit
memory/1952-1-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1952-2-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1952-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1952-77-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1952-190-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2396-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2396-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2652-79-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads