e396834c8072b90c9362cb14262b6cc79d9f87ddc85221ff307916fc4b9c2758

General

Target

3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe
Size

625KB
MD5

3e6980700305d1b7c913ae8d6fc3b979
SHA1

82f6db2b98fa6b4bf856e4a7a7ccd4599d5dec47
SHA256

e396834c8072b90c9362cb14262b6cc79d9f87ddc85221ff307916fc4b9c2758
SHA512

27b01dd7e4054bf7f72e8bd18b20b46df2b330bbff587f929cd3e3805774cada77c65a9e6d1b904b5c81a8d4599a1eb6c49c9226fbc17f74d6ded97d7413f02f
SSDEEP

12288:ROsZ9i9C5hsmXIZaVG/DWI2ZHUCsJqWBbD3GFv26kV1c0:ROsZQCsjPbWRZ0CsQWBbDWBV0

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000016cd3-15.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2764	TROJAN.EXE

Loads dropped DLL 3 IoCs

pid	Process
2636	3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe
2636	3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe
2764	TROJAN.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2764-22-0x0000000010000000-0x00000000100C2000-memory.dmp	upx
behavioral1/memory/2764-17-0x0000000010000000-0x00000000100C2000-memory.dmp	upx
behavioral1/files/0x0007000000016cd3-15.dat	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROJAN.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2740	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2740	WINWORD.EXE
2740	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2740	2636	3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2740	2636	3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2740	2636	3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2740	2636	3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2764	2636	3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2764	2636	3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2764	2636	3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2764	2636	3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe	31
PID 2740 wrote to memory of 476	2740	WINWORD.EXE	33
PID 2740 wrote to memory of 476	2740	WINWORD.EXE	33
PID 2740 wrote to memory of 476	2740	WINWORD.EXE	33
PID 2740 wrote to memory of 476	2740	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e6980700305d1b7c913ae8d6fc3b979_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\test.docx"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:476
- C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE
  "C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.docx

Filesize
42KB

MD5
d1665779f9de2e9ac9114c8f64b19c8b

SHA1
31cd8e735f725e21e6a9acb6c11e585b04c7d084

SHA256
3ac0cf430a0d459730b25ed92aec85c5535bd65e6a6ebe49ba1eab1396ce1bb4

SHA512
10caff82d0f93519d3ae147589d6d7813ee2b3bf504486bfa614e6840dd9ba0f7578ba4324e2cb4a7a3b3fd739882b9d0673df1c6161d760338529f59dabb59b

Download Submit
\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
277KB

MD5
b2a430d876a2c415c0c20999a589a234

SHA1
06f7fb5b23cbe72fd2007e12fb5bb138c45eee9a

SHA256
3cca727b8aaf834476f066fc6c232bf7db98999f761904f8a25eaee15a262aea

SHA512
ca1bcb6489099de9963ca79b1fc0976be73a875c276f8c4104519ed2201277aaa01c6374a4c9d3e96ab8b27cd237361d1be3587678ca34b1afcce6aeef11da16

Download Submit
\Users\Admin\AppData\Local\Temp\TROJAN.EXE

Filesize
681KB

MD5
e72ad1e3bdab7bf7e9be8d70d5135456

SHA1
36d9a3ca584f412ee472684a5e8c005e0eb6abb0

SHA256
26a12b198a26b79a797697ba797443de69c230ab9ed563841fb6fccbccbdb7b3

SHA512
08e06f88e01b7c9a5de7fbb1d5e0e897de0d50b08dc4e2e22a8839bd3d380745c9a87044a3296bc95f27a9506c7a175643985bbdcf0f83c8253db040721adeb5

Download Submit
memory/2740-5-0x000000002F3B1000-0x000000002F3B2000-memory.dmp

Filesize
4KB

Download
memory/2740-23-0x000000007101D000-0x0000000071028000-memory.dmp

Filesize
44KB

Download
memory/2740-18-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2740-32-0x000000007101D000-0x0000000071028000-memory.dmp

Filesize
44KB

Download
memory/2764-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2764-22-0x0000000010000000-0x00000000100C2000-memory.dmp

Filesize
776KB

Download
memory/2764-20-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2764-17-0x0000000010000000-0x00000000100C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing