1db9c9d526bf9b23627d15a2c5cd0f29aac3e141e62bb134f5ee59a6b99c4f94

General

Target

1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe
Size

117KB
MD5

1618b70040a67d91ee2b90537c1e8ec1
SHA1

42bbe29f65e08350238e23ec31bb4f88857d59d9
SHA256

1db9c9d526bf9b23627d15a2c5cd0f29aac3e141e62bb134f5ee59a6b99c4f94
SHA512

af93262acd32e6bbe8fad475d23d4179f43c191876ee2fcfe4d417703907579aaafc8bd8666f649e1d06a4158fb9d277ff93665f1a85d49d5f63ff8bfc798b8a
SSDEEP

3072:zGrzJgxC5+ITyLZYB+TAp9Rj2idAEjrWmc3+zIjB+FQJD:S3Sk+ITyLItbRn9jr7/zIjEQJD

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\shell.exe"	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-3-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2864-8-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2864-6-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2772-9-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2548-16-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2772-17-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2772-53-0x0000000000400000-0x000000000045A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2864	2772	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2864	2772	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2864	2772	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2864	2772	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2548	2772	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe	32
PID 2772 wrote to memory of 2548	2772	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe	32
PID 2772 wrote to memory of 2548	2772	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe	32
PID 2772 wrote to memory of 2548	2772	1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1618b70040a67d91ee2b90537c1e8ec1_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
396B

MD5
2bf67c91a095f8524a6127ec30013475

SHA1
c865d213f0f832c7c79f7c533128f89a407c9e73

SHA256
fbc21a385d137dc5fefb7eb897af0c9ccf6c8bac0543cc87f0572ed6650729ae

SHA512
4be3995aa7c409137fd57976513d684435164812dce71dcd39bbe0827737ca446f193b73e6c8cfee0fb42449c22ccb135ccd8690143be93cb15852425ed82ba1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
792B

MD5
1a94251a81f697762fb76d0933a64265

SHA1
6d8f1d45210b20e32d7bf996f3fc5d2d7b87c9ea

SHA256
a3266225babcf886741794eb28785f03a044de36b3caad667e312e69ad4bc53c

SHA512
828df721f8c06688ebde89f10b4655636cde4a034ee3e4f4b20ab1866e8690b9475cd88e6d7188655d2b6ff1809709207cd927d04fc1a51a2dee25eb1da12715

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
1KB

MD5
456afeaac1c937cd7a716d8d2cd459ea

SHA1
1fc2a90280a0b3fedecf785cc2aa79bbf392db19

SHA256
090c3f041795208ad9ee135d9caf40a309b1d349c6196d69c83719d4985a503f

SHA512
042dddd978b428e3bfec6853bda6b65134f53fa3a1a425ccdc28c4dd55f5e5366d52704ab750331b9585736102bda0402c68cb07db170c55d7052be156c11622

Download Submit
memory/2548-15-0x000000000062E000-0x0000000000640000-memory.dmp

Filesize
72KB

Download
memory/2548-16-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2548-14-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2772-17-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2772-9-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2772-2-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2772-3-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2772-53-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2864-6-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2864-7-0x000000000031E000-0x0000000000330000-memory.dmp

Filesize
72KB

Download
memory/2864-8-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads