7e2dda1ff76577a9709b8f2d10d65bd5661d916ad2bda573393a61f94ca5e76a

General

Target

8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
Size

169KB
MD5

8272e03f2189e9a7d42cbcb2b237d149
SHA1

c9209eb7a44a88e07cfb4baa6214f9c8173146f5
SHA256

7e2dda1ff76577a9709b8f2d10d65bd5661d916ad2bda573393a61f94ca5e76a
SHA512

8f93895af63741f71a002ed4c0d45700919bae036acd1cd3c2ae67944f661377ed88e82d66ca6246a1042e8cb432d7de31ae5df5a733ce8bfb757fb029da5dfb
SSDEEP

3072:ji+7qmKtwvnfoiLCf6vKOuKzPLUOiKuzd9es1M/7R69pwB071q/S6hGrx:jiU+t2oiLCkuUYO8ztk7s9m0cS6Mrx

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2176-1-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2524-11-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2524-12-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2176-13-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2176-74-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2656-77-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2656-79-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2176-181-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2524	2176	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2524	2176	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2524	2176	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2524	2176	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2656	2176	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2656	2176	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2656	2176	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2656	2176	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BE66.043

Filesize
1KB

MD5
660b19f0aba7d8a08923433ff01ebdf7

SHA1
161f3142e8cf20fb173f1217d9f53141203146e6

SHA256
9ccf025f34398bdc4e99b92b1648f12c074fa31c468febeb11352264b84df8cf

SHA512
2d567b2ced1aade3e4fa4b5863099a1e0e189c6dd6f282af704ce0a4e58708b7a91ea64b69d9fd88e15d9802352c149377957da96728182e1503a8df03a213b6

Download Submit
C:\Users\Admin\AppData\Roaming\BE66.043

Filesize
600B

MD5
4bcf120e9bcccf22d6f0743e07f91853

SHA1
35098eade88fcfffda059983b5e179978488ebda

SHA256
c3e5e8ab677ed1aad6a550d27606369ebc657f4cb827c5f5d87be2e8b1fa46ef

SHA512
99e8d86f192d037c35c0f35be9ba0ff69b151fa2b6266528f3864ceece186896f4b108aa304d664700850b15e85309d3d81a6254ae46f81345acec9049c47574

Download Submit
C:\Users\Admin\AppData\Roaming\BE66.043

Filesize
996B

MD5
abb5321da1a3b1f2a0ecc46ccf77e00b

SHA1
11fa7c17aeddfe2f5a4b77fc044ad3038f4923eb

SHA256
d0f711600ab05a55d1300d3c5231efe35b4cd99602305927594e28e11b8578d8

SHA512
b776ad3ace33bee5c98cdb5350ed94776230965b667771e2f789ca11678b32dbbbec78dbacbefa6a762158dfc943fdd653ca64ae8b206381ad8ef1cd307f23d2

Download Submit
memory/2176-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2176-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2176-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2176-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2524-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2524-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-77-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads