5aeced5a36b377c8e9c34cc2c16e3434f785390809c5416afa66b1f07733f36a

General

Target

fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe
Size

164KB
MD5

fa0343ceede9c4d58f1d8ea374ec9572
SHA1

2c69c8ad2d47e0867ed3402715f20a46ef8fc5be
SHA256

5aeced5a36b377c8e9c34cc2c16e3434f785390809c5416afa66b1f07733f36a
SHA512

a0534014cfd8c19517b4207414168f7cab287a9c16139fece3ba56d8485a96a7593935d799ccc0eef1de1d7aabac41ea2527bf76545ef7625b192776cc5d7270
SSDEEP

3072:s3+/zzdsyC7jA9vGMg1Obuqd6XZafyrlA24HObYy2YxQJ6EJEXBr:RdN4c9v8kn6pa65Ad4cYxlIE

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2632-12-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2632-14-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2668-15-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2668-73-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2084-75-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2084-76-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2668-181-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2632	2668	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2632	2668	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2632	2668	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2632	2668	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2084	2668	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2084	2668	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2084	2668	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2084	2668	fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fa0343ceede9c4d58f1d8ea374ec9572_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\75B2.A2C

Filesize
1KB

MD5
2e38e05bfff2d0f7003f48f499cee530

SHA1
f3e756c548ca20c3bbd6516910dcc7ac5ec925f6

SHA256
19170bb30d2514238f91766785a3849d231b4005a3589dbfa7ee7f7177f7ed44

SHA512
5719b0357a7dbaf7b15be47ac51ca73a5123062b0f754641ce23b043402c4033af8be2df71960e5ea6e8f27556f06742794c50f0994b023a29fe451af32c686c

Download Submit
C:\Users\Admin\AppData\Roaming\75B2.A2C

Filesize
600B

MD5
93343b216097d3260f9b9be9a4163cb3

SHA1
837f83c0e6eaa29494c8ff8b5cccb98d4560fb2c

SHA256
3658dddbbc8a9e22675a32f7f49fcb7c4544f96075318699d52583e28896d2a0

SHA512
82a5a7d6780230306af8a971356456d32646e1b1e94e76236b60178a979de7cb1df0729859021304303545e13f73856d917a7c7871583c0abc65f552d3fc2280

Download Submit
C:\Users\Admin\AppData\Roaming\75B2.A2C

Filesize
996B

MD5
12d70e306f2999c39fc8e4ac9016208c

SHA1
3060d31a6b8634b7c05de0d54a7556355ed9cbd4

SHA256
f251853f444f529ff6639263ee845d788c0c6763e13606227267c2b8f7bdcc02

SHA512
1adef7a7e22340f87e2a3cecb0d20567abab85006c6beac3ac2e1e655987334baa67d9d43b6b79db638a00c9bb9539a4250d624ee59484301a3ea8d50ff4775e

Download Submit
memory/2084-75-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2084-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2632-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2632-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2632-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads