06a4b038ae003e24842c9dfb2bbe12e79bf001c34a84c6686d6f5936a606126e

General

Target

eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe
Size

586KB
MD5

eac429ca1d62c1eeba0892654f090c16
SHA1

0a511fa8428c3f18b1c08caf940ba5d8ba25fcd1
SHA256

06a4b038ae003e24842c9dfb2bbe12e79bf001c34a84c6686d6f5936a606126e
SHA512

5bbb90c0e70fd50153a7a0ef541ecacdef13ac735bf39983e1d8cc9b5a0441bd4a32e60d2b5815a54bb5b6dd2ada5e600df3382a6642ba692d0a22b04c366c53
SSDEEP

12288:KlSaGklFSnYZQjL+ohDCtbV016whSLyTbm2vgSGYg8niTSa4UDTkKPCEF4k:KpD4YZMLlYtJCfhYQvg/YgvH4UDY964k

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2256	PfK.exe

Loads dropped DLL 2 IoCs

pid	Process
1820	eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe
1820	eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjfnfolmcikomdjmoiemllfnlmmoko\123\manifest.json	PfK.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjfnfolmcikomdjmoiemllfnlmmoko\123\manifest.json	PfK.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjfnfolmcikomdjmoiemllfnlmmoko\123\manifest.json	PfK.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PfK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2256	1820	eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2256	1820	eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2256	1820	eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2256	1820	eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\56382817\PfK.exe
  "C:\Users\Admin\AppData\Local\Temp/56382817/PfK.exe"
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - System Location Discovery: System Language Discovery
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\56382817\PfK.dat

Filesize
1KB

MD5
000a75b29511b19aec2858f409e72a98

SHA1
034f67c5fefbf95a9b3789df3ead463c33e44440

SHA256
cb7a391390cf219f2dca8d14259d0527f630174f9d86e1b306d66d279059579c

SHA512
8a6bce4ccf8f15d724aa5628aa641f0d95bc8d1c85b615dfff3540df1a5ac2d042dbc5f15c860622c5a713c85ba7d462ae5e5c39a1b54bbe3aa4b7a12c9137c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\56382817\lghjfnfolmcikomdjmoiemllfnlmmoko\background.html

Filesize
141B

MD5
58ff55a5c2fd1b711f9b4602c22a89c3

SHA1
6998651019972db2ed20db053370fd2344d232b9

SHA256
ede8ce722543815ba505a35225c974005664209b58f5b7557e9e288506d99014

SHA512
bd1f677ee89b4b1b2dc0d82148e93b630c43dd541d9374cf95390093722fc6167c12d9cb27b9c25bc010f403ad7e5a3e21ac8b11f8d2cc858870123a2d7cdfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\56382817\lghjfnfolmcikomdjmoiemllfnlmmoko\content.js

Filesize
4KB

MD5
a4f1554ffb094f35295c036c48f8372f

SHA1
623e977dc00591c3e725f3cc9b0c094e430978c8

SHA256
764e06233c180f6c6227c784f40458f3a4817725f42bcffb4691156068d642ea

SHA512
8cf361c5aa0fb6c9fc590c65b3ab344448667c50ca77336ec938ab0b3ae6bc058cf31aa542da8e39ff829459162782d08992326c5aba62a0a4c8eee2b5696c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\56382817\lghjfnfolmcikomdjmoiemllfnlmmoko\h6Ad.js

Filesize
24KB

MD5
bbea09e717fb778e9bb4476c46d35bfe

SHA1
3259367216aed213e4609294f64adc21c47a385b

SHA256
8a828a419fe57b3591923ef78ed4fb42a8ddc70c693e8ced184ff2a527c2d1ac

SHA512
a8157320c5b680ef9a959cbc552a524934620587686af8e6fa2321891d46932eb789744b7f2b097e0c266d1606815f7d3138364380790bf342b450e6fd458b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\56382817\lghjfnfolmcikomdjmoiemllfnlmmoko\lsdb.js

Filesize
5KB

MD5
59759c3cbc4c69998e787609c76239ca

SHA1
3e9a3378529201e22516859a08faf595ffda11cb

SHA256
68f9738f78ef5ae2161bf41c8ebed6cc3e28e836821389b0b2e7c77301d27504

SHA512
89f0407fa5c449cb8bc3f019875811d23809e1fa303eeb3ea4f8876d9ae8764808c7e824cbf3badf67b01df2783c82655de1fa41108e67d55cf0b8808e03967b

Download Submit
C:\Users\Admin\AppData\Local\Temp\56382817\lghjfnfolmcikomdjmoiemllfnlmmoko\manifest.json

Filesize
600B

MD5
6b428cca479efa361d7d23a132511b5c

SHA1
1fbe8449ad0d6a5909288ca1eddc0d5b798a2340

SHA256
297e3bdccd15f06b6160d78338928c04a69bf6579879cea36c8862d02bd6ef5c

SHA512
7fb5e0c59cfb44267a34912dee5e77012dc501c1b9819095714a4b85de021ea8d46994178155a3162412beffd57385c04c0976f4174aff5a1bc62d8174b98029

Download Submit
C:\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lghjfnfolmcikomdjmoiemllfnlmmoko\123\content.js

Filesize
4KB

MD5
33a02aada6dd3f8f47b1f0a0221e4fc4

SHA1
1bc903dfb18492d094d7cc18a5842382f204d282

SHA256
c229dc025f2011bbeb079920eb9325400488872927d634b8906f76e502b0a337

SHA512
4c03cbd11a028a8c06eccc73f7501c309b501b364c680bb0d482dcb5d40e93b34b6d539b28e7bf9aa99bc4a61df915fde1110c838621ec640a06681d942f0616

Download Submit
\Users\Admin\AppData\Local\Temp\56382817\PfK.exe

Filesize
409KB

MD5
ef38514253e4dafb6823f236bc47bb5f

SHA1
458a7dcb3c85cbe3c93eb7876fa0e6cd7e07f0f6

SHA256
4c1f4446576780b1d9ebd6f3cb653375aacfe3fd37e542ab4d4f3616db82475e

SHA512
853b8a5467d9c3800334807c0c0d558d4b42d201bb19927d10ab391d1ddad93abbbed8612f8d243362cfa2e0cb53f81610f68040db7ba554886b06fc6befe43f

Download Submit

Analysis

Sharing