866dcef893fc6286b9ddf923d71ed3a469cbed25e788d0e11a015019a19601c4

General

Target

134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
Size

945KB
MD5

134f2436ffdafc5060550130551ee6e3
SHA1

06470ee7c7ed198ff1303afddcb62fd87388a387
SHA256

866dcef893fc6286b9ddf923d71ed3a469cbed25e788d0e11a015019a19601c4
SHA512

1b90a95c95d728c0fb864a724a1375a3d1711cc51ce40fd47c18212cfd215f1721d63e693bfb69b323db80512fd2b88d4e409c7d016942e99ee67f7cf201ccbc
SSDEEP

24576:tzYXUlBNkEp0QHSJ0vN9QOw1tecWWf4y4:ykHNkESQHSJ6zzwqFWfx4

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	h1deippla.exe

Executes dropped EXE 4 IoCs

pid	Process
1240	h1deippla.exe
4760	Setup.exe
1584	hideippla.exe
3464	is-8CQDP.tmp

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hideippla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-8CQDP.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	h1deippla.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4760	Setup.exe
4760	Setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	Setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1240	2264	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe	84
PID 2264 wrote to memory of 1240	2264	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe	84
PID 2264 wrote to memory of 1240	2264	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe	84
PID 1240 wrote to memory of 4760	1240	h1deippla.exe	85
PID 1240 wrote to memory of 4760	1240	h1deippla.exe	85
PID 1240 wrote to memory of 4760	1240	h1deippla.exe	85
PID 1240 wrote to memory of 1584	1240	h1deippla.exe	93
PID 1240 wrote to memory of 1584	1240	h1deippla.exe	93
PID 1240 wrote to memory of 1584	1240	h1deippla.exe	93
PID 1584 wrote to memory of 3464	1584	hideippla.exe	94
PID 1584 wrote to memory of 3464	1584	hideippla.exe	94
PID 1584 wrote to memory of 3464	1584	hideippla.exe	94

C:\Users\Admin\AppData\Local\Temp\134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\Temp\h1deippla.exe
  "C:\Windows\Temp\h1deippla.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\Temp\Setup.exe
    "C:\Windows\Temp\Setup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\Temp\hideippla.exe
    "C:\Windows\Temp\hideippla.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\is-UJJUI.tmp\is-8CQDP.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-UJJUI.tmp\is-8CQDP.tmp" /SL4 $B0256 "C:\Windows\Temp\hideippla.exe" 533110 52224
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-UJJUI.tmp\is-8CQDP.tmp

Filesize
647KB

MD5
b683339ce008e97a0243a0f83bca1e09

SHA1
a8a4c078225ec9d94912762bda3a745d83dbe8f4

SHA256
5c6b8a1ab73cd03140040a3093e0d8466c666cd3fe17e8660dbc1a30d0b6f925

SHA512
c39b2501f5887c363633c94b04d58396a0d285ff65963ed513e99ff2dd7f36da323904278c6a64b9f1f637aaeed17e3d9d40540baa9805369cc664a32c62c780

Download Submit
C:\Windows\Temp\Setup.exe

Filesize
31KB

MD5
3962b24c82cd7fd5d5ad08111bd7bf44

SHA1
dd11858aca12b6ca6fadfe3c17a034a8a7f787a1

SHA256
4087f1e8ba7f28e3d4ed533a6658f3a9869f4b8a12a0767ce46e078ecb89d0b5

SHA512
63e70f979531e3256e6919b9a07807904f4688de8cdb8c302e832c5bdccf39fe5e4cdb7bc66af2afce06cb1a192ee56812aaf10b8c5dbd0dc20a0d0a4d36b1a7

Download Submit
C:\Windows\Temp\h1deippla.exe

Filesize
893KB

MD5
d677c2cb791d2c4f5d19a2a66f1b2779

SHA1
abea4f8d80abca53c06eea001ee1f49f033fb3cf

SHA256
fac3212ae04c7235d59d78ab25fe86cd18576da1c63deef755de11aed60ebab5

SHA512
062647293867a627ba1a3a0eaf042d743615f00bf33a5553c2b383afbeceb6a9f141ae54bb321ec0c3761982965b89a11fb7620a0bd6d9b5676ecb76cbe3ae4e

Download Submit
C:\Windows\Temp\hideippla.exe

Filesize
794KB

MD5
4f75f1c2be26ef5529b177ef126e9285

SHA1
6d8de01edb7d0a80038ac37ccbf48fd436c50584

SHA256
2683919d50bf213910af6fa7b5ade24f7b66a166220822e37e42256155389f34

SHA512
6e3691b48b001adf367563bb0725b3d650300abe0fbf2bfd1434203a4e7100d1d0591c4647d3e9aec20d33cec6b097a8c81bdbdefc0a4af355c56cc34bbb2eb6

Download Submit
memory/1240-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1240-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1584-46-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1584-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2264-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3464-57-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3464-53-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3464-69-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3464-67-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3464-47-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3464-49-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3464-51-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3464-65-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3464-55-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3464-63-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3464-59-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3464-61-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4760-14-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download
memory/4760-17-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download
memory/4760-15-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/4760-18-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing