f4cb229f2af77da399bd8bd1bbd60333d2249cd9de6b5b486fdb073eae01e3de

General

Target

dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe
Size

189KB
MD5

dee0a1b3cb409433301f4fc9d112c85b
SHA1

7b252ca61e697409c1e51ad4d18ce4a3890c2b01
SHA256

f4cb229f2af77da399bd8bd1bbd60333d2249cd9de6b5b486fdb073eae01e3de
SHA512

830266e5024d9b832d65c46e34f2bfafd048d88a11ccb7b366b9aef6161d0b3b5221efe1951006251a911bd2fbd95829f7a1f3bc169db716be5f197af74b03d1
SSDEEP

3072:mJWrUa15ebgwib2MJDJ8s0qWm6vRa6B82DiN2ZHqscUQWAL4y5nIIWG:35eswibBDJ8s0qZ6Zv821HTQWvI

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2640-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2804-13-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2640-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2640-83-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2408-85-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2408-86-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2640-199-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2804	2640	dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2804	2640	dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2804	2640	dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2804	2640	dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2408	2640	dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2408	2640	dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2408	2640	dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2408	2640	dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dee0a1b3cb409433301f4fc9d112c85b_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\699E.ABE

Filesize
1KB

MD5
9a6965782e60e940943209329fe40fb1

SHA1
745a650c237fff332440e936efb8818d94d88ddf

SHA256
7bbd5caa8be22141cf53defcaa2fa9e03541691aee05e9b2d80aabcb95bf9ae4

SHA512
37776bceaeee9f0fab92b0e7abee46526abd0ed4483b04606370207573f61cdf7017dc011ce4e1eb45c9f14a062f5eb4e1597012de7824ddbce3798155af45d1

Download Submit
C:\Users\Admin\AppData\Roaming\699E.ABE

Filesize
600B

MD5
5a655061346cf7322f4313e9257b0e9c

SHA1
6f9fd9ac00abf45cab7ba0189805d7ffa65f51b0

SHA256
dc7ad3656ae914afb3a50e9883979a48d9281e0c52e79d519ea3d10746339ab7

SHA512
d7021261af50358e973503d4c3568f2b86a004ae03bd2a2a8e38b1766db264cd7de12191d6065ad3530588a27b786d836d5e22806aa30ef763a6112116330c0d

Download Submit
C:\Users\Admin\AppData\Roaming\699E.ABE

Filesize
1KB

MD5
18c15aebd467e886c1fee16d1822bc8d

SHA1
c33f2464a0cd7872dad7046b8040e3d04bf9d73f

SHA256
1212636f470f5aeaaa04910316d71178b7dfe6984c8a09ab8a0d4ad6344eac34

SHA512
73f65e0c995d08464c9b7040523eb07cf2e86121ae9d2f69a7d3552b70463cc9949b897edcb1d030038923a36c7f7ffe5a44739c8c3385a239c29ee97523fb51

Download Submit
C:\Users\Admin\AppData\Roaming\699E.ABE

Filesize
996B

MD5
1ad3c5791ec91db9e26b122d71d3277a

SHA1
38be9e375282850c36782a04ab18436493fe29b0

SHA256
f04f1a8bbe3ec27bdfb3d3c874ab0e33017840b0df6fc49f3fd9d9436ee159e5

SHA512
8473cf67fbafbfd78792ec3034dbea10a0c8c755ed58a722f68e3d356d9440d1b852a01fe9bf7093a0c92006717fbdaf4d44dc551e0ad7c9c90bb2b959913277

Download Submit
memory/2408-85-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2408-86-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2640-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2640-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2640-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2640-83-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2640-199-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2804-13-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads