b5c72c6e9e8d3477dbd97fee514348dc61cc9aad832d33dacb52f1fc86c48768

General

Target

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
Size

342KB
MD5

b0bcf19827ffbdf58347f12878707bff
SHA1

1113438386f4d9049e6678bd176fd6c7119658f3
SHA256

b5c72c6e9e8d3477dbd97fee514348dc61cc9aad832d33dacb52f1fc86c48768
SHA512

c53c1489f62f6ecd11ea66318760da618fdb4d6c972dbc98347e35de30885955c36a031d6ddf0c6e39de6567c85f65b46299bbee30a81bae0810396bd80e88ec
SSDEEP

6144:J/x73bXTzTvxGz6bnIKoYVCxeVnDYPrcDhMrCPaiUjasX:9v+YVCc+aMuRsX

Score

10^/10

credential_access evasion persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
username

Signatures

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exeb0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

Disables Task Manager via registry modification
evasion

Deletes itself 1 IoCs

Processes:

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

pid	Process
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

pid	Process
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exeb0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe"	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe = "C:\\Windows\\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe"	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exeb0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
File opened for modification	C:\Windows\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
File created	C:\WINDOWS\1	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

REG.exeREG.exe

pid	Process
2848	REG.exe
2756	REG.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exeb0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

pid	Process
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

pid	Process
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exeb0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
Token: SeDebugPrivilege	2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exeb0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

pid	Process
2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exeb0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2548 wrote to memory of 2160	2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2160	2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2160	2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2804	2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	33
PID 2548 wrote to memory of 2804	2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	33
PID 2548 wrote to memory of 2804	2548	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	33
PID 2804 wrote to memory of 2776	2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	34
PID 2804 wrote to memory of 2776	2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	34
PID 2804 wrote to memory of 2776	2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	34
PID 2804 wrote to memory of 2756	2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	36
PID 2804 wrote to memory of 2756	2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	36
PID 2804 wrote to memory of 2756	2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	36
PID 2804 wrote to memory of 2848	2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	37
PID 2804 wrote to memory of 2848	2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	37
PID 2804 wrote to memory of 2848	2804	b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe"
1⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\system32\REG.exe
  REG add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
  2⤵
  PID:2160
- C:\Windows\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
  C:\Windows\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe
  2⤵
  - Disables RegEdit via registry modification
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\REG.exe
    REG add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    PID:2776
- - C:\Windows\system32\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:2756
- - C:\Windows\system32\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\b0bcf19827ffbdf58347f12878707bff_JaffaCakes118.exe

Filesize
342KB

MD5
b0bcf19827ffbdf58347f12878707bff

SHA1
1113438386f4d9049e6678bd176fd6c7119658f3

SHA256
b5c72c6e9e8d3477dbd97fee514348dc61cc9aad832d33dacb52f1fc86c48768

SHA512
c53c1489f62f6ecd11ea66318760da618fdb4d6c972dbc98347e35de30885955c36a031d6ddf0c6e39de6567c85f65b46299bbee30a81bae0810396bd80e88ec

Download Submit
memory/2548-4-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-5-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/2548-17-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-0-0x000007FEF5CAE000-0x000007FEF5CAF000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-6-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-7-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-2-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-3-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-15-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-16-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-14-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-18-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-22-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-23-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-24-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-25-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads