533020ef7182401d4cb5bdf8324f835a9e9edcb23b9a7f0485721cdcf58f532d

General

Target

faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe
Size

125KB
MD5

faf8db027408575c7f6178890e2a9058
SHA1

e22dc27f9528adf96cad0039eaea83f5b1523510
SHA256

533020ef7182401d4cb5bdf8324f835a9e9edcb23b9a7f0485721cdcf58f532d
SHA512

c996edf150d3978d5dc65901e9c325818dc495d621d7ce286987c28b638a190d20f4494a8cd6b3c52be9b3b5da646ed51cb5da547ce0d234e2520860397122e3
SSDEEP

3072:zVvRYdan7my+GSIL++YATge3z+WW5v8Mlx:zVvSQn7HL+YkVn8ox

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-2-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1724-5-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1724-6-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/2232-9-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/2232-75-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/2512-77-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/2512-79-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/2232-159-0x0000000000400000-0x0000000000432000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1724	2232	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1724	2232	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1724	2232	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1724	2232	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2512	2232	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2512	2232	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2512	2232	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2512	2232	faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\faf8db027408575c7f6178890e2a9058_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\49D4.42C

Filesize
300B

MD5
65f98f42073c6cd00ad9a7fecd59388a

SHA1
5330d3ef211342bf46b7b44941e5b0d09c405f8f

SHA256
33cbf10a0892b7c7ff1d5e48b333bdc70554c094a0167337c01222778cfa29be

SHA512
db174c8627d276dd85524439224d1e83b8e239bb9b4c67bcc5bcc5a7d71991e323389bac1f2a0347b22cdef5dbad2667ae181fcb7bdf7e218771faecc7929ef8

Download Submit
C:\Users\Admin\AppData\Roaming\49D4.42C

Filesize
1KB

MD5
23b5b34b16557f76da2533fc77e7d069

SHA1
f1f85b94edbeec621fa6fc8545328b82ae937ba7

SHA256
359006bba757a3feb51aef6614ed5fe612da7e4449bb18d6ce95f16ebfd6417b

SHA512
aee74af119490101722c98331c926e0438306a53a5ea215aec1aa1e44ea6bf29e31e77daf601a0019966a99f702a513b02d1ea298e2dccc1bf61aa3640ec0699

Download Submit
C:\Users\Admin\AppData\Roaming\49D4.42C

Filesize
696B

MD5
4cf9641b3bcf67ff455e2f9215803148

SHA1
2a2545ab915c63689bbee4af3ca645f0dcc45b1e

SHA256
387ee89d93168d7a7a1460d5d70e7a8246c120a37a9ea2930705cb7016d0cff3

SHA512
31e5d25ef8252db7a71be240216ba68753b1e6b8fc2cbd7855e442bbc37a9efdd13e619f4c508289519e7063744aea394cf1be155c608731fa62bf6fbfa5e8df

Download Submit
memory/1724-5-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1724-6-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2232-1-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2232-2-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2232-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2232-75-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2232-159-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2512-77-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2512-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads