14401ee79845bbe55bf7d5d2d9123cf8fe8589dc4a535431c7bd524b50f042fd

General

Target

JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe
Size

1.6MB
MD5

e2557269e66b36f7ed7fcf32e85b91dd
SHA1

c682a00eb0e40e55064475d0f59d735e5561d45b
SHA256

14401ee79845bbe55bf7d5d2d9123cf8fe8589dc4a535431c7bd524b50f042fd
SHA512

5ea75cc0c40028948af5bfccc204711440ab7d667b276983bfdb784d78576f5a96f9a0a24606e9b4149afaefe2fe6d10eab9621c410c67787cf6ba6e23a92b26
SSDEEP

49152:pbfcx2eIzRet6PPwyo2MIvJtoiQKusITOJrc:pgx/My6vJ+gu5

Score

7^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3004	cookieman.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2208	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe
2208	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe
2440	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe
2440	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2440	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2440	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe
2440	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2440	2208	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe	30
PID 2208 wrote to memory of 2440	2208	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe	30
PID 2208 wrote to memory of 2440	2208	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe	30
PID 2208 wrote to memory of 2440	2208	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe	30
PID 2208 wrote to memory of 2440	2208	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe	30
PID 2208 wrote to memory of 2440	2208	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe	30
PID 2208 wrote to memory of 2440	2208	JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2557269e66b36f7ed7fcf32e85b91dd.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_83b2117d0"
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2440
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
e9f890b0cc57ffc4cbf579004f00e99e

SHA1
15250500d0dfda4f767c2327af2c42463b95f80e

SHA256
3a6a3f4a09a5e9056ae2ed9e1f9e1919acaa7a5bae5e2a90494b6bd591d0c2c1

SHA512
6a2104916e3e2ae15c810f5b2ac28d3298a32a123e187ed5e1aa4854b0c603f6c2c8a4cbf008eeaad45fadc176dfecc1ed3f9826d8a6c9c0538daf76120d729b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_83b2117d0\autorun.txt

Filesize
94B

MD5
e60e8b7a94efb8b8b0346fc8937e5cd6

SHA1
76370821b74662046bffbb35920d742cd4958fa4

SHA256
8ad7ddfa4b3d9b92dc133a9f6a67ae9acaaee568a1da54d1d79db0f216fa777a

SHA512
04340ed8f2f1a4fc6f4ddec2888800e3c5c4438b56ffe1563fbac94a0be077ced65dda3d288620c08298756f34d2e622a92e01d5979464637f1bce1d56adade2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_83b2117d0\wrapper.xml

Filesize
1KB

MD5
3db83f039ef0c6d0f9a2db8e02ab744a

SHA1
f0ef7f3666933e3d46f2467f7a48722078de6615

SHA256
9a7e0e42263fce0d4521921818a757ff2ca485d16052e8e3287bc281a323daf6

SHA512
ba9b807533475d4629b6c798e1fb5ea6a385e26885023461c0167a7effd1878875be5a5c3206c1d04e06c45a929eb841d2bb53663628874b2f030cb2ae0155f1

Download Submit

Analysis

Sharing