7f7faf9cfa416e669f99e8f229b8bb47c2e625bce1f0244576d98239d6140957

General

Target

3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe
Size

133KB
MD5

3819c18cd28edac122fc4e59c7b2b01a
SHA1

d2aac049a8d0f4e2876d7d91289adf29cc364c52
SHA256

7f7faf9cfa416e669f99e8f229b8bb47c2e625bce1f0244576d98239d6140957
SHA512

df78940de3125c6f08d6e871d1a94edcfa6dad5b293c2521449a1d604ebf8241507a9f578ea431f62b1a7053b4209082f7c80a7bb62acbd670ad2779924f1873
SSDEEP

3072:OiENx/emSB0Qjf38w18dLNqgjvhxWQK3kOApPLZohTnG6C:h4mKQj0wkLrvhxWl3GjZ+Y

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2404-2-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/3044-6-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/3044-5-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/2404-9-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/2404-61-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/2612-63-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/2404-144-0x0000000000400000-0x000000000047C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 3044	2404	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe	30
PID 2404 wrote to memory of 3044	2404	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe	30
PID 2404 wrote to memory of 3044	2404	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe	30
PID 2404 wrote to memory of 3044	2404	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2612	2404	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe	33
PID 2404 wrote to memory of 2612	2404	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe	33
PID 2404 wrote to memory of 2612	2404	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe	33
PID 2404 wrote to memory of 2612	2404	3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3819c18cd28edac122fc4e59c7b2b01a_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F353.FE7

Filesize
1KB

MD5
3cd2aba1131eb7887d70bd157f291f2d

SHA1
f3b12767e519f876b7832584ae6ef6f2d920ea64

SHA256
0ebef53140a07577a63afed5ca32f80adabcf4de5378a3925d92696942237edb

SHA512
4baa3b82dc741131f3934563cad8da96815a15153d0a6079323a76da84c3c84d32127f095f1a561ef9660366c1495d9fe6005cf2957adcdcc448a824c4a91a22

Download Submit
C:\Users\Admin\AppData\Roaming\F353.FE7

Filesize
300B

MD5
cec4d73f7debc680eeb1a4abd2e5092a

SHA1
629cccf72d9a28bcd14e9e14540a81a57fdddd0f

SHA256
7e34ac7f3223d6b1b0c54c772291b3fbc9255ccae42958425ed01b4ffc737c0a

SHA512
f635f1f777e36deded2b66ec8952b8e8ed89aa63e4010e32379af75c175c7b6d07776fc44f52ad6868ba5d9263609abc5b710625ffef5900ead7f7933ee6379a

Download Submit
C:\Users\Admin\AppData\Roaming\F353.FE7

Filesize
696B

MD5
1722510e37583852721f177dbc983664

SHA1
a680f39af793cbae82dbf56c3f4aba9a94d339b9

SHA256
4d7d2bc4b988786bc1005236146eedef7430170852eacf6125ac451452937571

SHA512
a2e283dfd6782bd91c197a8de3e4d52f38cc7832fcf45ae3e16d51c764e073958011dc097e7e39ad3b08d2645b4ba2dd38faff246a2dcba07a96d20c3c1de1bb

Download Submit
memory/2404-2-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2404-1-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2404-9-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2404-61-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2404-144-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2612-63-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3044-6-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3044-5-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads