b51b99f129a3af375b9a9a2642dbbbc923b8c12c9d10c54bb7e63b558e6225c6

General

Target

ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe
Size

183KB
MD5

ee7750d73d8ec95d491f1fbc49cb7d9c
SHA1

3b13140716d7614d8bf3c037038327205f7789e1
SHA256

b51b99f129a3af375b9a9a2642dbbbc923b8c12c9d10c54bb7e63b558e6225c6
SHA512

e9fe3023c8ccd59f84824dea524d732cb62f38a2e7f3edde436d8585a44a77cf8002355c4981737c0ff98656b90df6f703042cee044d28840c1fc92c282d5a4f
SSDEEP

3072:H//rqUS66P1aJJPFvgFxAkjuqxJX2hSq2XGGddnxAJFi+BYHJx305kZSL3:fOUS66PAlJgbAkCqxJF1BdnLdx3055

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/780-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/576-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/576-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/576-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/780-16-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/780-77-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2580-81-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2580-80-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/780-184-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 576	780	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	31
PID 780 wrote to memory of 576	780	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	31
PID 780 wrote to memory of 576	780	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	31
PID 780 wrote to memory of 576	780	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	31
PID 780 wrote to memory of 2580	780	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	33
PID 780 wrote to memory of 2580	780	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	33
PID 780 wrote to memory of 2580	780	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	33
PID 780 wrote to memory of 2580	780	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:576
- C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\535F.9CB

Filesize
1KB

MD5
05a7ca7d4722d2d3cd4d9acbbcd4f641

SHA1
566f7ebc8c642c6be742791368a50529aeac8a6a

SHA256
903614ecb694d5031802265336ef6e79dfe306f8b47bbaf44239f3a7bb623946

SHA512
4f0d1bea5f9fa72c45984a958a3f209383e0d43922545aa20d54492f2e3a3b9aead4fcfb12b45067e164bf2eb34f24ea8ad5e5c5a0f1b4e5d59f13dd12b12878

Download Submit
C:\Users\Admin\AppData\Roaming\535F.9CB

Filesize
600B

MD5
9ea081b394bffe860205dc32298a69f9

SHA1
720bafccaa3ec2c245931b8b564a7f13cbf30e21

SHA256
41cf1d179b31d0cc0cdb9b95842ad7f33bedfbec95db1dcfa9b37b8f064142d7

SHA512
3c914ed3ded619534d9abc3735c59c33c9803906210122691c97a3b59f7fc83a021cf4ca6d376d1b89318be0e1717b5343341ccf13f2bb00e66930ea1471a91c

Download Submit
C:\Users\Admin\AppData\Roaming\535F.9CB

Filesize
996B

MD5
c8f0eb9960d5d75bc1e70ae38e4cb77a

SHA1
535a52718af33055c45c4cae486e971e1dd9496b

SHA256
9bda72c11ef4b303854ed2e53e2c22345766cd525fbd268d03434a6775a10aa2

SHA512
165823eff866fcb3911969a14587c8f8c361c9fcaafb5386fc960c38dfec9a3b186a69dd9c7b30d11918ffee81a417d193599986a9a65dbd487cedf324ec693c

Download Submit
memory/576-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/576-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/576-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/780-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/780-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/780-77-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/780-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/780-184-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2580-81-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2580-80-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads