e9ae37d07f49591509ff5f70dd37e89b6f13b23a6828b14ef8ea5ace2caba8da

General

Target

b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe
Size

178KB
MD5

b4f10564ea582965fbac39871e70dd6c
SHA1

d90c31b4b83baf70902e308857065d5cedbf6829
SHA256

e9ae37d07f49591509ff5f70dd37e89b6f13b23a6828b14ef8ea5ace2caba8da
SHA512

7208e12ab7042a2442613be573acf012e375b7d636162cf32f0cab777d40ba1d56bb233dad34f9d817d20ecb38311a6e666775425dd780f6671f9d537aaaee5e
SSDEEP

3072:ZvvPdRscJhukW5oDF0PUMUb2Wgtmb7pDtYoABh9cAIJeck0ytU/l:JNecvu2qPUMUbLgaZtY/X9cPJqDcl

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2500-1-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2344-6-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2500-9-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2592-76-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2592-75-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2500-77-0x0000000000400000-0x0000000000464000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2344	2500	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2344	2500	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2344	2500	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2344	2500	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2592	2500	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe	33
PID 2500 wrote to memory of 2592	2500	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe	33
PID 2500 wrote to memory of 2592	2500	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe	33
PID 2500 wrote to memory of 2592	2500	b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\b4f10564ea582965fbac39871e70dd6c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EC5E.AEC

Filesize
300B

MD5
d33c8f0fde8a2d88573656ce84923bc0

SHA1
b71f1e01ede4821ff94bad2ad53c0f1674c200b5

SHA256
18a7cddc8b6d8336e5532bbfe9a819ba7b7bdb0af098d776345107148668e447

SHA512
a742e4aa09230fa226a79bb3b0f13bdcbb55e11cfe5f131ed59f8dfd54f063fba2a812b0dd3d9a21c5fdcb227775b2852e67c7c7831930db9c88ed740c6426f1

Download Submit
C:\Users\Admin\AppData\Roaming\EC5E.AEC

Filesize
696B

MD5
6e5c912ff12ddd0e9e5daf9389d7884a

SHA1
7c980ce8130f4c86d98d629af43518efe9ed2e8e

SHA256
62f850f6ff85e8296723cfec49a7eac71972bc279d2f7b5aa4edd34416e7423e

SHA512
aa2aa1a2dde459e741499b2378fc2f1725e0aa31ed9426e9cd607bc73a5c4ade1113aa0794b27a3b51a7e34fa5fd29019ca7a25c8a07c098d4c8d8cb91280c16

Download Submit
memory/2344-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2344-6-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2344-68-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2500-1-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2500-9-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2500-77-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2592-76-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2592-75-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads