7964a21494642ac150a91c7e0b7cbf88e50edef5f5cc3e928d28e7bcd894f323

General

Target

14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe
Size

171KB
MD5

14af39fc131792bfb8bcd87735910280
SHA1

0fe27a502f9bdf69e19e2155d819e0c091d188a5
SHA256

7964a21494642ac150a91c7e0b7cbf88e50edef5f5cc3e928d28e7bcd894f323
SHA512

40f145c0c3ad1145d5473165208baf59f9ebc958a7c76238e7c9b2f01abf12850b63679830985a3bb4b3aa856d33ac384aba638505a95d0ae84f32a5059cb62b
SSDEEP

3072:+Km3p7eYnGohmEyGR4tuQPSgP+ybALSf7FmrBDcTM+j8jnHnfTwarMaYPj:9wNecGoVPRCSgPBbVzcrBg4NjnHfTwa6

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\E22A6\\DBD8E.exe"	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2520-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1644-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1644-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1644-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2520-16-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2520-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1180-127-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1180-129-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2520-130-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2520-308-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1644	2520	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe	31
PID 2520 wrote to memory of 1644	2520	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe	31
PID 2520 wrote to memory of 1644	2520	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe	31
PID 2520 wrote to memory of 1644	2520	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe	31
PID 2520 wrote to memory of 1180	2520	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe	33
PID 2520 wrote to memory of 1180	2520	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe	33
PID 2520 wrote to memory of 1180	2520	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe	33
PID 2520 wrote to memory of 1180	2520	14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe startC:\Program Files (x86)\LP\8E3E\D5A.exe%C:\Program Files (x86)\LP\8E3E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\14af39fc131792bfb8bcd87735910280_JaffaCakes118.exe startC:\Program Files (x86)\A6A74\lvvm.exe%C:\Program Files (x86)\A6A74
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E22A6\6A74.22A

Filesize
996B

MD5
5c2e811fabb366a862989b088aa8d000

SHA1
a36006efded1dd957ddce60a88a10205565627a5

SHA256
ca86758f8426b2d3366e1fb8dadcc3092f2c219b7cd77c9a18522a3849ae0440

SHA512
4988436739dd99bc7a4cf69119ed33f14d95d29f47700a619ce6c334aefc49de721c8740f1b863386d9bd3b2bc6d486ed998f9d7e486ddd76f11fa00528894f5

Download Submit
C:\Users\Admin\AppData\Roaming\E22A6\6A74.22A

Filesize
600B

MD5
ab146b008b3be3a1c27829e2d6c18764

SHA1
045c081cae652e8967199c2f3b720b941d8aa48b

SHA256
7371becfdf86635e38b5d274f8db1cc16b6303a9a66bc8d515e668a3038cd724

SHA512
80a2fb0580e1baaaf1ba3fcc195153b9f0216a55afab4a16114c2348b3c9c6b58ac1271541f19a87fcecfc2e0b061e34055f25e99cc5c31e3411ee8e7a5b0867

Download Submit
C:\Users\Admin\AppData\Roaming\E22A6\6A74.22A

Filesize
1KB

MD5
3dc74bb89f1f66eca20bafeed8cc73bd

SHA1
5ccd9ded7915b052aa9b45e788b04bdc310dbc93

SHA256
daa710ca03f2a9c448c788ca1faafe963c2c2983d4e9d6a5fcfe9c804478be58

SHA512
9e2960df2989f84df7d01ad33c461f3f757517665fe866dfbebc04c11fcfe4c8f47089aa0c968058daade224401932a5943c4f443a14f083e0c6cd631836bfa9

Download Submit
memory/1180-126-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1180-129-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1180-127-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1644-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1644-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1644-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2520-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2520-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2520-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2520-130-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2520-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2520-308-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads