6da5b6896b3181ad14991340d6886cae627aae9bbee58ef2cded692267c1f7ca

General

Target

03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe
Size

156KB
MD5

03e6fa84e4ab6243671f14563aad7b51
SHA1

8e25bf8717f007832ec54a82060ef6a16e748044
SHA256

6da5b6896b3181ad14991340d6886cae627aae9bbee58ef2cded692267c1f7ca
SHA512

40d014b72f9eb47637d78156bd73bfa884dc7d7e22a243f9b4218c6124e687ac3d685a56b30121c772f8d618f1fffa009c9992fd7d93736e9d90545df8bff5a0
SSDEEP

3072:CYiYqa4rWYd3HANohGG6QvXhRAzj8qtDak0ZQRYrKBvevjG2D:CnaA3gNsh6Q3AX8C2/QRYqvqf

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2956-1-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2884-8-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2956-19-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2956-76-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1060-78-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2956-185-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2884	2956	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2884	2956	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2884	2956	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2884	2956	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe	31
PID 2956 wrote to memory of 1060	2956	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe	33
PID 2956 wrote to memory of 1060	2956	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe	33
PID 2956 wrote to memory of 1060	2956	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe	33
PID 2956 wrote to memory of 1060	2956	03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\03e6fa84e4ab6243671f14563aad7b51_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F875.8A9

Filesize
1KB

MD5
dfb81914aab277b0e157eaa14c2d2d96

SHA1
b35ef8fbc73093255cc36ca5f59bd899a58991b8

SHA256
8cac2058698c58c99400b36ec711ca9e5fee3d49715eecb23e525ef84afbda76

SHA512
fb8dd3670e349d63ee006b7937ef4e57c1675477393d3bc3ab3ff07634553f6f18ed6b939d62d2a2ac58cb9aa95599f55b970606426b98a9d5e18b07b27735c4

Download Submit
C:\Users\Admin\AppData\Roaming\F875.8A9

Filesize
597B

MD5
308efb4c1537bbdb2796de17174f3c32

SHA1
88e12f2287a575ee328835324fbff1a86adb4ebc

SHA256
433de5283479c8781ddf5c3c3ab5c53c35ab6dfd03494083ad27039256277684

SHA512
707af4544e8d7eb5568efa116adfd853b1a9dffc763835aa654079bd77335e4259520db0458710d76c484ea85c1978df5dea09c90ab1a408469ff89622f86f0e

Download Submit
C:\Users\Admin\AppData\Roaming\F875.8A9

Filesize
897B

MD5
8af7fc4be54e2218b7f878750f0c333f

SHA1
27e6105f21810de27a3a53facf0ee79edfa1f2a2

SHA256
e6bab52d7cac49c2cba1fb225b4ae1118cf076bb4ffde8ad39f830cec55a67f9

SHA512
70fd24eb88f762cc100863671a55f3fa8fba20f02556ac11410aa072928d9145e8d9580741e4b952e5d6c775370829ff8aa7440f7bed2ae331fd3d2ea8a80f13

Download Submit
C:\Users\Admin\AppData\Roaming\F875.8A9

Filesize
1KB

MD5
83fcfaf3f21373392f8d2d6805d2a657

SHA1
5e916d0a6a9d9acebf55cae351dc895c2a699e33

SHA256
3d8abf131ed570e7b5d72f65f0ac8b20a59ed8cadc555699017c753cc6edd034

SHA512
c76ca78062366b9509ed50a3b5e6bd5d87cced4cedf57c5ad846f43509a77c4e4880b7b1d8531dc1afa9d35187fb77258768e4924d3d6c6c3de658a3342b5483

Download Submit
memory/1060-78-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-76-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads