2e6720122888bbca4d7d9a52e2ff6576a1cd0b228e1e28bb2af95445cfaf48f4

General

Target

fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe
Size

3.3MB
MD5

fd0269ca5f7b66eeb24bf3626e6cd738
SHA1

8d170f2efbd12612f020f2580058f156f673b874
SHA256

2e6720122888bbca4d7d9a52e2ff6576a1cd0b228e1e28bb2af95445cfaf48f4
SHA512

627349700d65a1d7c9d0510b2d23144695cf963016e3f9e791e3ad5160d6976f3f6c903f16f34c6f3b9bc1ef11f3792179d7b7dc65de01b1fbed76f4ff3992c3
SSDEEP

49152:Czsy4VsUGTzLUvmqEFKSmCIo5qOC8Ro4SdK5z9rGOT6ixTgFdT+6+jkgNoYs2imF:nzGTzLUOKw21Cz9rGC6ixk+Ljkp17

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	svchost.exe
2784	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2784	1992	fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2784	1992	fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2784	1992	fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2784	1992	fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\svchost.exe
  "C:\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\svchost.exe

Filesize
3.1MB

MD5
029198ad184b5316c5f294817cc41011

SHA1
4aa0d4bf45b91d7773ae6446e6b9eb54348dbe1a

SHA256
354856d93fc3b5b6a8cf2a7f9ae99073797805033588ff7c4ed8495adc317b92

SHA512
bc5634128a0b1c6383ca2fba120a14507553dc184d9fb51cd4de8db02e50199b394bcc1cf6bf2309c1f0d241c52a247c0c86d1f814de0432099d1bd3b4ecd7df

Download Submit
C:\ts.dll

Filesize
3KB

MD5
ab62f36cc469c34fd1b86ebf3eb19aa3

SHA1
2a70b2793949c3aabbde738c60ece2c52b3f9445

SHA256
67d34ac4df536192e5529b1f98547180f225ef83ca810d087c8f0324324edfa7

SHA512
35f84161062f1d7cabbf069e2638819168da2993432566d1b369ed0fca82cafe884ea560fada129b6c4d629ef61bfbff2368d54c8dccd75416e65671e30733ee

Download Submit
C:\tv.dll

Filesize
96KB

MD5
16ea8b59f4ba4f5a61fe1b8cd6050c94

SHA1
d1b6f248a30595b05110c5b693d2c9a6a494c9cf

SHA256
531c7fe97c6825b0aa2298fda4d4da836cc4e6028a423b05c55bb6b3669aae5c

SHA512
5fb879e60a91743e6f58ee565dfe909a576bd4ea9061ee816746283086ea5df6f2a6bfb5178a99555b73fc86b50c6104bce79c5beec97eef1e7e23cd96c7ccd6

Download Submit
memory/1992-21-0x0000000003530000-0x00000000038A6000-memory.dmp

Filesize
3.5MB

Download
memory/1992-23-0x0000000003530000-0x00000000038A6000-memory.dmp

Filesize
3.5MB

Download
memory/1992-30-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/2784-27-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2784-25-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/2784-26-0x0000000000021000-0x0000000000022000-memory.dmp

Filesize
4KB

Download
memory/2784-31-0x0000000000021000-0x0000000000022000-memory.dmp

Filesize
4KB

Download
memory/2784-32-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2784-34-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2784-37-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2784-43-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2784-54-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2784-56-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/2784-61-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing