a049ef15af81082d52427d53bfaf45cdad2959833954b06c437fdc2f3545f3c0

General

Target

fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe
Size

185KB
MD5

fbd6db946429019d7020557a9e0061a7
SHA1

c6b586d299c139fe1e8ae58bb4167aef79c72d2b
SHA256

a049ef15af81082d52427d53bfaf45cdad2959833954b06c437fdc2f3545f3c0
SHA512

0035327a7736bf703098f3cfe8e6d7194f5d47464ba43aa9a6551a65c58c5fbdd3a43ad91ec38f5247d1eb8bf80fcb837ddf02e0462519b1620da4b9ff897025
SSDEEP

3072:Xgbr6MsRktSjArkKoBrGLBMIjjKVBRV1FgxK8f1IpkMKy82/92V7B9KhLXQ7EgeO:Ax3ScjuGeIjjQRVToK8f1Ipk3y82/U7W

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2768-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2820-5-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2820-7-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2768-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2108-84-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2768-141-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2768-176-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2820	2768	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2820	2768	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2820	2768	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2820	2768	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2108	2768	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe	32
PID 2768 wrote to memory of 2108	2768	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe	32
PID 2768 wrote to memory of 2108	2768	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe	32
PID 2768 wrote to memory of 2108	2768	fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F7F3.C83

Filesize
1KB

MD5
1b98503ad4ea138e6a5f4368f4be57ae

SHA1
40007c6e017d28a65f1f68c72d0e5bfc7aa2f9ca

SHA256
c76e11f7f0b1a2db646f2185979d043a78ead13bc8572a03b65cc538a4515196

SHA512
4ff58d354fc74a817a51175097558f3d167b26462a742bc093c1da7e9d87db9b62f295988300fffc70cf6760c19e21ed3766b6a02f63f52bc9d08da803744fdb

Download Submit
C:\Users\Admin\AppData\Roaming\F7F3.C83

Filesize
600B

MD5
56bb8656b03b1ed50e03f276c2dd0e38

SHA1
265158d5b9f7ba525abcf5cf2c68bc9528b00dfe

SHA256
493d57ec76e20d182f874292a50a0e0ad3116fcaf12d8f608a13bc549bfbcbe6

SHA512
6d823843554e934f01598c5d3179b0b698892f4d4c057e4047ea7f3c7fa0da62b3044f4f3d27400a4832c04afffbd5374b334edc4981e9c97e648bd316b15087

Download Submit
C:\Users\Admin\AppData\Roaming\F7F3.C83

Filesize
996B

MD5
59316cbfdd3a8e5a8f99ad388ead3fec

SHA1
5dee09cbfb2d64cd655131a76dff07bef347c83b

SHA256
6112fc66a2b1d2f852d492db77d0ea8b4e3cdc83d6d21af5909456fec48c8ab4

SHA512
57aa2872b609996794ede07050c7baef76d2a6ca286eeebcd950403efba21b950f03b856992c2a5cf86c9486d148033911bed7fbabd7c318a9d4fb5473937f34

Download Submit
memory/2108-84-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2768-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2768-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2768-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2768-141-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2768-176-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2820-5-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2820-7-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads