4df7df904dd601aa9409745ac03eebb82af2b38e305d291c50daa08575fd4fd4

General

Target

f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
Size

560KB
MD5

f63a59b6f4d36853de924dad804c6dab
SHA1

00073efc66f54bcf95c7de17d15939668e97a34b
SHA256

4df7df904dd601aa9409745ac03eebb82af2b38e305d291c50daa08575fd4fd4
SHA512

abcb86ae8f83af9276f0c73700631b9236fe08bebd9c0f1371b893609087afa1922007bef272667eb6e6770b8614f74ecabe8534e1521525604eb2e97fdab4b8
SSDEEP

12288:rTFmIDVPpBghDWVVWPU9RejrrwhtpNUuS1H0G2B:JWc9Rej/cUuZG2

Score

7^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2580	2272.exe
2812	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Program Files (x86)\\system32.exe"	2272.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 768 set thread context of 2812	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	34

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\system32.exe	2272.exe
File opened for modification	C:\Program Files (x86)\system32.exe	2272.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 2236	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	30
PID 768 wrote to memory of 2236	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	30
PID 768 wrote to memory of 2236	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	30
PID 768 wrote to memory of 2236	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	30
PID 768 wrote to memory of 2580	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	32
PID 768 wrote to memory of 2580	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	32
PID 768 wrote to memory of 2580	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	32
PID 768 wrote to memory of 2580	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	32
PID 2236 wrote to memory of 2716	2236	csc.exe	33
PID 2236 wrote to memory of 2716	2236	csc.exe	33
PID 2236 wrote to memory of 2716	2236	csc.exe	33
PID 2236 wrote to memory of 2716	2236	csc.exe	33
PID 768 wrote to memory of 2812	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	34
PID 768 wrote to memory of 2812	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	34
PID 768 wrote to memory of 2812	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	34
PID 768 wrote to memory of 2812	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	34
PID 768 wrote to memory of 2812	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	34
PID 768 wrote to memory of 2812	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	34
PID 768 wrote to memory of 2812	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	34
PID 768 wrote to memory of 2812	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	34
PID 768 wrote to memory of 2812	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	34
PID 768 wrote to memory of 2812	768	f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iyx9dzfw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA41D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA41C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\2272.exe
  "C:\Users\Admin\AppData\Local\Temp\2272.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Users\Admin\AppData\Roaming\f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
  C:\Users\Admin\AppData\Roaming\f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\tasks[1].htm

Filesize
169B

MD5
5284f090ed518594cc757914607fd5a5

SHA1
0e7e26ee8dd9b41e454c603dd15db0b6e620a7dd

SHA256
da29a0ed68019f69c357a23ca395a913773cc09d65161e92ce71268731d3cd88

SHA512
72d119eec0b624b37833155b38f915b5fb95c43df2287a5db4be70557b7e1fa83da6bfc453b570a0eb07568b1829f24620ce1336954bc7415a37e70c83740d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA41D.tmp

Filesize
1KB

MD5
472bd7d4f362f1c1c766d37494680fab

SHA1
ab9449bbe6c1cebd32e7755b8f4e297a2ca31c16

SHA256
f84d2253ce80f3a759e5fd8ea056fecbb1a4943829d089bc108f9035de0a6fd5

SHA512
69c2eb3a32ff6a0d6e6d4f8ea1a539f98300573bea91431d9bd7cbe7871472819ddc64a921da9a7691194496f181d17d1e6c591e09aca30db7dc8a1c9cc80e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyx9dzfw.dll

Filesize
5KB

MD5
39aab1c3786e3858223400f2fb0e89d7

SHA1
760aecda26c01b11ee6cb680ade62dd2f66312cf

SHA256
1caa5e86fd3da87e8a3a1754d42d0428cd5e29a2c7ce119f4fbe057a676f2816

SHA512
454b93344e41e75cddc79d940eb7d30d0c385c42fbd8f1e02cca177294509016cea7b5876043a8c132e64cb4f838fff368246241df90a90ed8fe99475a818f29

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA41C.tmp

Filesize
652B

MD5
1c11010ed90d11034a7e17d557c22e0d

SHA1
2893e9c6b14b32d2d1ec7738659362ea86c84dbc

SHA256
e159ae42b3586cd7107fc1cc6b0770c7ba7113401cbcee84655da0ab1bae4d4f

SHA512
b94b5ab48b6ed05cd93731f59d011a9426d825b772dd156ab027c1d9610bad274a2eea30f3dae0d8e777b8343db9a78bbf2b03d4918129d1969ffffa678f1249

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iyx9dzfw.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iyx9dzfw.cmdline

Filesize
206B

MD5
1eb53d45dfbc6e29b4201ee7bea58220

SHA1
036144732989fe3fe02709dad4b620e43aa238f3

SHA256
fd91d866117685dfcd085cb9da4b41721a13512fe6f300185950d04ac97f630b

SHA512
96a68b50f0c25be8234d30988fdcc5cfeeef5af7f746a6edb897f819fbeb5b64cf84ea49fd3f179ef1f99859b3371dae4d950df82f6e17868d673276536dedf5

Download Submit
\Users\Admin\AppData\Local\Temp\2272.exe

Filesize
119KB

MD5
db7a53837d26194d1f3ea4f31c55546a

SHA1
c887dccc0f4310980b1fd5ea46f048cc2b7a4bf8

SHA256
376b4d5bd45fad1d5878b6ed4130562d078ba73f4e19a200b23d72aaa50cf35a

SHA512
d47e60b41c93a5c92b60c175f9e31a4cc75f1a0dc0cb3ffd709ace4cd38ec7fec99e5ba661fdb9ab4305aa3913318b06dc265d99ff7d59a6be23ba4c3c96cdab

Download Submit
\Users\Admin\AppData\Roaming\f63a59b6f4d36853de924dad804c6dab_JaffaCakes118.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
memory/768-50-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/768-2-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/768-0-0x0000000074651000-0x0000000074652000-memory.dmp

Filesize
4KB

Download
memory/768-1-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2236-19-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2236-26-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-55-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2812-49-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2812-42-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2812-40-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2812-38-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2812-36-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2812-44-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2812-53-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2812-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2812-47-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads