6fa2993aa58c16b1bbe6bd87a86ebc9dff405c434e868634a9a24c80c6abe775

General

Target

03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe
Size

94KB
MD5

03d04e78ec80f834687886e0675c80ad
SHA1

eab23525d5625fcf43190ae4439dcfcc927353e7
SHA256

6fa2993aa58c16b1bbe6bd87a86ebc9dff405c434e868634a9a24c80c6abe775
SHA512

ae406245cc4b747ec10443cae0e5add6bb8fe85698df41b4c94568206a8074ea87a37b3994bf5d5d1966ef63cc6eb5e27397a20eab2d670c2733cc22710b2a23
SSDEEP

1536:enoUTdRe5qqleFV0b3m0xXPdsWdQwodJeYNEA75ntjAjXOOSncUZaseeojILSZK+:enzTdR7qle4a0x+WAsYVBZAj+7fUhezB

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1852	2108	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe	30
PID 2108 wrote to memory of 1852	2108	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe	30
PID 2108 wrote to memory of 1852	2108	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe	30
PID 2108 wrote to memory of 1852	2108	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2276	2108	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe	33
PID 2108 wrote to memory of 2276	2108	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe	33
PID 2108 wrote to memory of 2276	2108	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe	33
PID 2108 wrote to memory of 2276	2108	03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\Windows\shell.exe%C:\Users\Admin\AppData\Roaming\Microsoft\Windows
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\03d04e78ec80f834687886e0675c80ad_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
396B

MD5
70c0f71fdadafd0496be9f2c3f856c18

SHA1
78ecdf85f11b417e4716d1a44a2630140aa39d96

SHA256
ea7ab328075ce154efd55aa2edcd12637636c48c8a72112a27e1a830e13c64b6

SHA512
c0d88f94aceb51f055fef760ed5cdaf845b7f671202f65a47fd7b2414630deec553cc6d5e116dab998e0ab21973c25c79dfb0cec3d4055eac94a0739af6a0eb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
792B

MD5
2c432db47b47d9f57f3afe3f89c8961b

SHA1
72bd463dd0ea618618e2cb47af45040310d18b17

SHA256
fcb75534e39a2006fb35ae1c139e84e67d5e6094d4a094b31eef8aae8465c147

SHA512
898fd5309ce298497e7101418d19c5d6ee64da7213dc9f3bd51e9873467bc0015c7a1780ab870ec8be0b26ff825658135c10adb8829fbffd21f7b421e6b6be22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
1KB

MD5
aca995a725bbfe573e911cfbda319b78

SHA1
314178da1ea981d7ef72dacd0a19216e42fad4fa

SHA256
aa15dd4e35a9b8c47c7d6b192fe0e55b493b0633a3598715786d5b28f186c76e

SHA512
ed622dfddc4961d2d0b02d84c478da2e1fbe5f835ffcfb083e4af67120f124149e52f88e7e9ccca8e9118b5f9edc7f6bd59e7bbf05a080288d0ae474d2dade73

Download Submit
memory/1852-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1852-5-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1852-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2108-0-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/2108-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2108-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2108-10-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2108-46-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2276-12-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads