ed0eea95deff05ebcc0d8365ebb50de8079c287b388adfd3593e21fbe5585fe8

General

Target

ebdafddf0e3e0e943015f856a95c4496_JaffaCakes118.exe
Size

949KB
MD5

ebdafddf0e3e0e943015f856a95c4496
SHA1

166713b75e645432bc59a95894cf68bb4022b0e6
SHA256

ed0eea95deff05ebcc0d8365ebb50de8079c287b388adfd3593e21fbe5585fe8
SHA512

d19a941da96be1d9ef3e2759655a10fd457835ddd452eb3258264d5539a5286bd851886fa52a187b8fcee16841bc4aa87a4920b1c44115ac2913f9a4c49ba0bf
SSDEEP

12288:jTJc8ZqtVOXenNQaeRJLKP1sYBlYWf81N2KkEu1jjcbpoxvDU4fg8MZUC:jXqtVOiNXe6PGYlY6u5UjGpoxvAZUC

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	ebdafddf0e3e0e943015f856a95c4496_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
324	MPQEditor.exe
3712	pinch3.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebdafddf0e3e0e943015f856a95c4496_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MPQEditor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pinch3.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpq	MPQEditor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpq\ = "mpqfile"	MPQEditor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpqfile\shell	MPQEditor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MPQEditor.exe\shell\FriendlyCache = "Ladik's MPQ Editor"	MPQEditor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MPQEditor.exe\shell	MPQEditor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpqfile\DefaultIcon	MPQEditor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpqfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPQEditor.exe,0"	MPQEditor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpqfile\shell\open\command	MPQEditor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpqfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MPQEditor.exe\" \"%1\""	MPQEditor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	MPQEditor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MPQEditor.exe	MPQEditor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpqfile	MPQEditor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpqfile\shell\open	MPQEditor.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3712	pinch3.exe
3712	pinch3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	pinch3.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
324	MPQEditor.exe
324	MPQEditor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 324	4072	ebdafddf0e3e0e943015f856a95c4496_JaffaCakes118.exe	86
PID 4072 wrote to memory of 324	4072	ebdafddf0e3e0e943015f856a95c4496_JaffaCakes118.exe	86
PID 4072 wrote to memory of 324	4072	ebdafddf0e3e0e943015f856a95c4496_JaffaCakes118.exe	86
PID 4072 wrote to memory of 3712	4072	ebdafddf0e3e0e943015f856a95c4496_JaffaCakes118.exe	87
PID 4072 wrote to memory of 3712	4072	ebdafddf0e3e0e943015f856a95c4496_JaffaCakes118.exe	87
PID 4072 wrote to memory of 3712	4072	ebdafddf0e3e0e943015f856a95c4496_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\ebdafddf0e3e0e943015f856a95c4496_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebdafddf0e3e0e943015f856a95c4496_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\MPQEditor.exe
  "C:\Users\Admin\AppData\Local\Temp\MPQEditor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:324
- C:\Users\Admin\AppData\Local\Temp\pinch3.exe
  "C:\Users\Admin\AppData\Local\Temp\pinch3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MPQEditor.exe

Filesize
916KB

MD5
1fc8a3367df99ebe15e3674fbd2780ae

SHA1
ce29cac5d7e0ad0ced0b26cc14087e6252ef67be

SHA256
e0abdb8ee18457cd5fc7b4290b9487d026e5d7870d614e035553e93c3ddeee51

SHA512
e69a4e19ab6e91ff69dfa4492807badd0e29bb40ecf92d9cd6d975b926517d593901f21b26c82ebbaa5c961b99272b3471363be8db19e2d3ab9a1d301e07dba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pinch3.exe

Filesize
31KB

MD5
a13e5916b21dcd61b76a8d71f91941a5

SHA1
34858fb4dbd2d2d236323f0bbb1037bc6ab17526

SHA256
fe1eae6aba248cbb073904cd3416771b467114339c3d95ff3f4084fa57c54752

SHA512
29d6e5bbc1cdd30110e5f2c21a21c2733f620c72570a4c2dc3d58a97639aef3e59dd32f142eb0d8b6d0204e4e94c6c890e39377082f619ec94fcac111b923267

Download Submit
memory/3712-20-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3712-19-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download
memory/3712-21-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3712-22-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing