b56307df423c2d43b1b3aefdd17305f6590c07cf71fe8ed7a9fe70a62f35b39f

General

Target

dfbce0bec667584d5f5ce99a1eb3ab04_JaffaCakes118.exe
Size

1.1MB
MD5

dfbce0bec667584d5f5ce99a1eb3ab04
SHA1

c7ba9a12f4583aa0ab344a8098181330caf1df50
SHA256

b56307df423c2d43b1b3aefdd17305f6590c07cf71fe8ed7a9fe70a62f35b39f
SHA512

705a901acf11ce869334d3dd8bd8daffa786a6276eb041dd106e4c445c79f9a0f8f244531f9ae4ebaad4f0769a6f6e8f3e19074a628fdae588894b13fb4e68ff
SSDEEP

24576:NykGfBrYqa2HX7lUXsX7Mjgn4VmqtrzCKcIs8VDKchf94:ok8B0OX78I7l4Vmm6AKch2

Score

7^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3340	928928.EXE
3052	927927.EXE
4624	926926.EXE
976	925925.EXE
4904	924924.EXE
1312	923923.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dfbce0bec667584d5f5ce99a1eb3ab04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	928928.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	927927.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	926926.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	925925.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	924924.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	924924.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	923923.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfbce0bec667584d5f5ce99a1eb3ab04_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	928928.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	927927.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	926926.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	925925.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3340	2260	dfbce0bec667584d5f5ce99a1eb3ab04_JaffaCakes118.exe	83
PID 2260 wrote to memory of 3340	2260	dfbce0bec667584d5f5ce99a1eb3ab04_JaffaCakes118.exe	83
PID 2260 wrote to memory of 3340	2260	dfbce0bec667584d5f5ce99a1eb3ab04_JaffaCakes118.exe	83
PID 3340 wrote to memory of 3052	3340	928928.EXE	84
PID 3340 wrote to memory of 3052	3340	928928.EXE	84
PID 3340 wrote to memory of 3052	3340	928928.EXE	84
PID 3052 wrote to memory of 4624	3052	927927.EXE	85
PID 3052 wrote to memory of 4624	3052	927927.EXE	85
PID 3052 wrote to memory of 4624	3052	927927.EXE	85
PID 4624 wrote to memory of 976	4624	926926.EXE	86
PID 4624 wrote to memory of 976	4624	926926.EXE	86
PID 4624 wrote to memory of 976	4624	926926.EXE	86
PID 976 wrote to memory of 4904	976	925925.EXE	88
PID 976 wrote to memory of 4904	976	925925.EXE	88
PID 976 wrote to memory of 4904	976	925925.EXE	88
PID 4904 wrote to memory of 1312	4904	924924.EXE	90
PID 4904 wrote to memory of 1312	4904	924924.EXE	90
PID 4904 wrote to memory of 1312	4904	924924.EXE	90

C:\Users\Admin\AppData\Local\Temp\dfbce0bec667584d5f5ce99a1eb3ab04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dfbce0bec667584d5f5ce99a1eb3ab04_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\928928.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\928928.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\927927.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\927927.EXE
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\926926.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\926926.EXE
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\925925.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\925925.EXE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\924924.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\924924.EXE
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\923923.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\923923.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\928928.EXE

Filesize
1.0MB

MD5
d66d88b5dd0256bc6a29b647a3c11cd2

SHA1
7420788c22f1694a077471fc3545c11f3b2537a6

SHA256
cf829d079af6dd8090e5ca1498ca06430b3c110b78d51746c1a41cdaa828e9d3

SHA512
8f2adbdc4876c04dde3ff251073282897136cd145f7c5aa4827cda31df06cb7507b564403fcfede9a267da959381073039922b2674cf6c53aece165ca6c3a22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\927927.EXE

Filesize
928KB

MD5
9cb397a6891beb8eb1d81d70f2ff99c2

SHA1
85d94254218583d25d4bcff6c2985c19b10c5522

SHA256
5acbcf6ef2a47075ee02086f162e3444786854d559807d1035d5c05b9224fbff

SHA512
01191748a62728ddf16be3c779288955d4a7d4d7075f4577a1c12e342ecf065dee1706c1c85043f9b6778b1392ad076a8d37c803b9b77cf5b1bf776c075eba94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\926926.EXE

Filesize
823KB

MD5
2e366e651dc92d7d05b9c1a888418ea2

SHA1
2f01e9383d42e70657a11606be003afbbc16fbf9

SHA256
50668bade1797f47f9a69b6bc8425c17d5d769b73251eabf650ef64ba6969e87

SHA512
9d9c945d7bddb9ce403fe3492cfd21da290fb87fbb44f1a6f5f309474dce36d5f59fb9a5b65b2ccbfbe731afa8ab0c9ecbb7b0ed35a04cd66650ae9102a16f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\925925.EXE

Filesize
718KB

MD5
6b3d8fe55696d68f378eead12e1e4c44

SHA1
a1e637c2761957a7d77962ee0b4dfadcf76b87d9

SHA256
c24643e8f4705a7c579ba1c91661a980e435a5351d25adfe17c561b8b1ed983a

SHA512
aaaf05b88afbcad4a9e7c26143a2f09d654d29c1b6f9294e04a2005b084881e68311e3d69f3fdf48103296fe96e21ef206a9a9e7b40692c7669a25c7066c47bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\924924.EXE

Filesize
613KB

MD5
8fbfefea02c769df0e2f60b8c115a71d

SHA1
0dda6dab7d4aed7b08ef7e08a7b79de4d8637b70

SHA256
10132a213f8540699f7e978b68e634993740c8b266d49c13557d77c15e15d2e9

SHA512
7fe0e255a5253e71c0759f1f9a4ee1ec573182606d47eaa6ad76769688ef926678450b68f90e0865904111e31080f2ecb42060f474dfc2f5648b0e438581e70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\923923.exe

Filesize
483KB

MD5
2c0c11f4108db83f6b6eab0d92440b83

SHA1
a20c8f54056f55c818c1862f5322501f89a35b62

SHA256
cce147fa7eb25b7d3b70daa553125eb58c9c03b7975269a3e50de19b1aca0c6e

SHA512
41349c6b9c84e44130b4d4c4f8548568965ab336dffcab53a4fd240f8406c233e3348009def4d387aa0004f5d513f4300bf1844ac7d1a81da622ff501a62e1cd

Download Submit
memory/1312-30-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1312-34-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads