8f1be4d249817876e6bbb833b24c8a052549578aa8d3c4d17f28dbdc5e548d19

General

Target

f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
Size

191KB
MD5

f982bb575ba66968c52bee025037085c
SHA1

e378fbbc27e03a6756ff6c31ca147f15b879f899
SHA256

8f1be4d249817876e6bbb833b24c8a052549578aa8d3c4d17f28dbdc5e548d19
SHA512

5032dd00e23ec8ba841f876d52188aecad197bb4986acea6d358593be8c03fca0542d7b529e04d20f26d42913707299c49bdd03a74e159305f23b9944b5c0482
SSDEEP

3072:n5eiXBEtdBcTBhbtjk0PiQWceVm7rSJDx6VxIo/YeylXe4dJM:oM2lEhbNjM7T0Vmo/slpq

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2632-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2760-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2760-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2632-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2632-77-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2520-79-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2520-80-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2632-185-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2760	2632	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2760	2632	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2760	2632	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2760	2632	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2520	2632	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe	32
PID 2632 wrote to memory of 2520	2632	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe	32
PID 2632 wrote to memory of 2520	2632	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe	32
PID 2632 wrote to memory of 2520	2632	f982bb575ba66968c52bee025037085c_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f982bb575ba66968c52bee025037085c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2A30.C76

Filesize
1KB

MD5
177703220a4fbeb7ed7e797524adb4d5

SHA1
fd1be4942df131f37c4966de15827d896fe122a1

SHA256
0b34c2eb361de1f118f883547e1fd65c2a9c58195982a282f0985183904a28ef

SHA512
16029e3b74eadc889dc11416dfc49ba8b07bfdda0b75eb6088cb2c9cea57aa9a74ebe13d02ba6b222a57c4c240ca7d67103fba2967f5001d06c352c68cc9eafa

Download Submit
C:\Users\Admin\AppData\Roaming\2A30.C76

Filesize
1KB

MD5
aa494d75ef91343c5ddf8b8060657468

SHA1
fc55fde27ae4d680c6f819c95f58d1b1a0a7dffa

SHA256
7dba3bc58f6381cd166a9522b870d27ad971d8955e4a1f731d6dc6c9bc4f097e

SHA512
d54eb77d15323420814cb9308e6c6e505fb81bc2a5ef649674020fb8ee62ae2e9ce4067ac8d0f29d8b090b135ece381b789aafb213c6d50a02ff6424bfbdb2d0

Download Submit
C:\Users\Admin\AppData\Roaming\2A30.C76

Filesize
600B

MD5
7051c6a230bb18f634e05275290c81b2

SHA1
2ae6c1b7612d1f3220570c50ca5424e55b255133

SHA256
a6ad1c397a0479ea44024c5d59ce8224ffaf72b1c4ba415e363c152355120642

SHA512
8d4d0df6096291077be88fcf05792bb2342843ca442c6fe3727ced70feacf91d7cb726cc57f2118fb28bc7464b0d7027d600bb376da69c5be717fe509c9e076d

Download Submit
C:\Users\Admin\AppData\Roaming\2A30.C76

Filesize
996B

MD5
9e1f152b29c4b077269b591ec878f771

SHA1
768b5e5f05d40b48138d3f6414c5495ce3d90dfb

SHA256
2f8180e60bb4ed21716f0ebbc8b2e0feb3f066670ffad2c93467407e6c3842ec

SHA512
a093b986c4cbac71edd6c51bc75f57d76bee8794a261cfcae360a5885c978009434e86704929c28c2ff7e515a6899e049b8aaa92446cf410561d74c2326d05ed

Download Submit
memory/2520-79-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2520-80-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2632-77-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2632-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2632-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2632-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2632-185-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2760-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2760-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads