e49a5c2ccc6381d4cc8fba2eef2600bf9c8e784686caf6522b3817c989ff6231

General

Target

2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe
Size

173KB
MD5

2a80322137d486b1c35e2542ce7a07fe
SHA1

6f2309e630a05f511dfa98fa7b861558851cf96c
SHA256

e49a5c2ccc6381d4cc8fba2eef2600bf9c8e784686caf6522b3817c989ff6231
SHA512

8443ba41370828f35a8d7df72a6618a1d82b44c361d1b73f43efc009907e4146888422e26706550718c51fa95efeab4a2f960f660f18d9027dc95c95601baca1
SSDEEP

3072:0AeJ3hAszwhqKRVqzxLmTthRWok2SdsDt2tJswMqQzYta6fSQEoW+wqIZi:ReFhAszYRVCcPoB2SnUwMqQea6KVD+LM

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\B4A3C\\F1ED3.exe"	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2596-2-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2308-8-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2308-10-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2596-15-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2196-82-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2196-83-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2596-84-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2596-152-0x0000000000400000-0x000000000046D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2308	2596	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2308	2596	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2308	2596	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2308	2596	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2196	2596	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe	33
PID 2596 wrote to memory of 2196	2596	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe	33
PID 2596 wrote to memory of 2196	2596	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe	33
PID 2596 wrote to memory of 2196	2596	2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe startC:\Program Files (x86)\Internet Explorer\D3AB\9CF.exe%C:\Program Files (x86)\Internet Explorer\D3AB
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2a80322137d486b1c35e2542ce7a07fe_JaffaCakes118.exe startC:\Program Files (x86)\3C5D9\lvvm.exe%C:\Program Files (x86)\3C5D9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B4A3C\C5D9.4A3

Filesize
1KB

MD5
fcf752d836aaf5866359c2e191cf17fa

SHA1
47113744d885d698d843c1e177656eec38f6a119

SHA256
4bbd82c366bf18ea87f13e22980eb7ac2d21105207592e0563a6aa1223281b0e

SHA512
0501004d84252013c49e8353dfe0db9077a4e00a2f88f2e5118fb216db580e26a4797c4f7dcd6661941e4d4a452349e02ab61dd02d7638d88313e666735380f7

Download Submit
C:\Users\Admin\AppData\Roaming\B4A3C\C5D9.4A3

Filesize
600B

MD5
6e05e7aa5412ae5a13b01314d40a3fc4

SHA1
fb1f611ecb1e1e0ee0241e2750dbd886e2bb138b

SHA256
ef0d2a170391c7cf6993b2e8c5841966beb816e44b9866e8a0409afaed122657

SHA512
1bc1cced2324eebd5c0c6d47ff48e55ebeb22daa817b2a5cc31f8896042ab588e68d7ea1ceefd4d803488ae04354ce31168de9540b1eabb6d174ef98ae87f7a5

Download Submit
C:\Users\Admin\AppData\Roaming\B4A3C\C5D9.4A3

Filesize
996B

MD5
cbb84ca90c164aab929f8eceb6a2437b

SHA1
0feae2a60635e9bcff0a8dec7df923eb5f2ef404

SHA256
5276c52ba0d09fdea9def4df8eefa88020d3195bbf9b74310d4fb8fbc683c7c2

SHA512
02d65f6815d787d463be75d042f562396906b744698c36647c654199b957ffb7bc74e78ec024e0062a3a0d220c5403cd0c628e3de1619d41fa05fa4fc1bc803d

Download Submit
memory/2196-83-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2196-82-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2308-10-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2308-9-0x0000000000277000-0x0000000000290000-memory.dmp

Filesize
100KB

Download
memory/2308-8-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2596-15-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2596-1-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2596-84-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2596-152-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2596-2-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads