1860d49a7a2e5943086033b3cf93408563f68aaa8ff1d6c22375d3e4e4463824

General

Target

f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe
Size

156KB
MD5

f6d6757ea188fb6995fc32d1de17902a
SHA1

656df2fa6fb0685c8c1615d51d2112f5052fc489
SHA256

1860d49a7a2e5943086033b3cf93408563f68aaa8ff1d6c22375d3e4e4463824
SHA512

6ce344446c7e513e33e95fcef49b6890706069512dffb0328e63bf2066969a25bed185672cc6ebf9d321cb52f53858b7fdbe63f9e92a31923a172a082a13ab97
SSDEEP

3072:D9CAHzyZ8j/sY9auxcQYLs78EbHzLErS4n/EBE/HsVv3f0jPfxtT:ZRzyijDauxcXL9EbH0lncksVUjP

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2352-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1248-5-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1248-6-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2352-14-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2352-77-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1516-79-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2352-192-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1248	2352	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe	30
PID 2352 wrote to memory of 1248	2352	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe	30
PID 2352 wrote to memory of 1248	2352	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe	30
PID 2352 wrote to memory of 1248	2352	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe	30
PID 2352 wrote to memory of 1516	2352	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe	33
PID 2352 wrote to memory of 1516	2352	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe	33
PID 2352 wrote to memory of 1516	2352	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe	33
PID 2352 wrote to memory of 1516	2352	f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1248
- C:\Users\Admin\AppData\Local\Temp\f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f6d6757ea188fb6995fc32d1de17902a_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5576.C18

Filesize
600B

MD5
61de1b654e092bd2f2d40d695c6da680

SHA1
8255d67f43554fe5a540134eed11998961bc47d4

SHA256
69cfff352f71b011a6e87540a130b48d6fdae7226e80c77177eb93cead4e84a5

SHA512
acc833004f35bdad30292a628d05083a78c1d80bd4bdf1cd4cfcaec41d394607fd59cd30e3c5df4d7eb88109f4275d84723abaf1362e7ce789c8bb20f5f67e5b

Download Submit
C:\Users\Admin\AppData\Roaming\5576.C18

Filesize
1KB

MD5
c9faf503bdd235bd0a399bade0ee8369

SHA1
5b015258b945d93d9dd2bac9c73d489d20ad2599

SHA256
5b740a07c15e96b7b0e4e274bff6a9d7a8d062fcfae52ba357ed849942800285

SHA512
4effe966d5d23b3d09afc77cbd52ea84659bea01297704695fecd29e67b3a945508d1de868ea6529a737ec8d0cf739a3f3233182de6c73ad207daa9e4d23b987

Download Submit
C:\Users\Admin\AppData\Roaming\5576.C18

Filesize
996B

MD5
d596a56bb553d135a952e57fdb826d8c

SHA1
52259a681f592eca3f2358c8ab2ca64979050972

SHA256
8ac7a71f6c6f286f7476c5603566eaa8889df13c3ba7393f290c0dccafb495b3

SHA512
f48dd8e7d27824455517a7d28ac3545c8399bdff52fc361d11920e63ce2945bc9f8bfe5bda79778ac330f206df0aa874c3c8cbb4288724ef275df5e3ea66668e

Download Submit
memory/1248-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1248-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2352-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2352-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2352-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2352-77-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2352-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads