e53c5944155189e31ca3ffe3a7d246dbb3c28ac35c72967df0e362d25074e01e

General

Target

37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe
Size

109KB
MD5

37add54baa4b54abb71c5b2efabdef43
SHA1

774b6ce162b9adf860de3366f3a27cc466808520
SHA256

e53c5944155189e31ca3ffe3a7d246dbb3c28ac35c72967df0e362d25074e01e
SHA512

11862131f72252a5c32580c2198ad14dd987db52310f038d511bab26fecec0f4c191ac580e25722c35c27da34e4ea4c3ca46d995eeb8ca4e58544ff05e4af267
SSDEEP

1536:rYPH+nxyQrtjljAOhi0OSTqVwSwpMMeXqpusBi0G5V4Dm1TXGDwOFUmV0LQUfMjV:rYP+nb5jlAOwvwSwpzeNsWVl7I+LQ4/

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2776	2860	37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2776	2860	37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2776	2860	37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2776	2860	37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2684	2860	37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2684	2860	37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2684	2860	37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2684	2860	37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\37add54baa4b54abb71c5b2efabdef43_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\Windows\shell.exe%C:\Users\Admin\AppData\Roaming\Microsoft\Windows
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
1KB

MD5
ac2caedc20eb796aef8421a8a88a8429

SHA1
449d7f2da4dc4bf9f7aa6e697b74758f2070894d

SHA256
c419c90860a31358e911fd05fc12216847f702aa67e880e750788f8b262cce1a

SHA512
ed92fbbe4193bd38c2b57ec149a46cfe23164d43d166443ca38eaa1aeddd526069daff84a8f466b6f145e4edc3030cf8dbc63753984801b087b7c733836cc37f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
396B

MD5
9f21044c571b004175db80579964b8b8

SHA1
6f937100e406ee6dc6ec121ee36418e47f15936c

SHA256
97fada9a356c8447243f8002f9068422f6df645f495f1074c729150d8217b202

SHA512
88ed3c21d7c927930ae7b389f444d1113726011e9196e33691335eacc91f1e8957ed2acb521873670616964254920d3f181150da05c6be6ecb54d2849b7f20c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
792B

MD5
da3421444fca01a155f3092055d7c9ff

SHA1
4f4bf08f78b9494b5f18a22ed11a260d70686dda

SHA256
b685fcf570290f18cbbaaf72003bf6e3acd5364a7d00d5c58f56da6d32f6cd64

SHA512
c6a2ee5ad5b7022100dfd2132317fe80129bc786a6a4218c687333c5206a2d0880dd99517af01c09b3bf9394249d93d7404c2a636b4466d0f85540cad2c339e5

Download Submit
memory/2684-10-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2684-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2776-4-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2776-5-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2776-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2860-9-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2860-7-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2860-0-0x00000000001D0000-0x00000000001E7000-memory.dmp

Filesize
92KB

Download
memory/2860-2-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2860-183-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing