bfdcd42d274e0b82e26b8e797aff46c8cf23b5efa09ebbec931f9646d4e0270e

General

Target

JaffaCakes118_8a65108aa7eaa180194ba54f27a4bb65.exe
Size

650KB
MD5

8a65108aa7eaa180194ba54f27a4bb65
SHA1

48a4a737c6f9bc7215f3f79e20ea54e8cc3487ed
SHA256

bfdcd42d274e0b82e26b8e797aff46c8cf23b5efa09ebbec931f9646d4e0270e
SHA512

5a029561ff05ce7a9bda9026d031c0a01570c4dd53e4e1c5f9725dc437cc450c42330d3ec71472e4600ccb2521c0594e14a8694b9bf97d162bb0ff4230fb22f1
SSDEEP

12288:F8Q5KnlKa2EVD8W+RcPUb5xZUBNiYleh3WGAqBsk7vS0UCG+6o:LqlKa2Ed+Rc01ULzIIGAqfv2Y

Score

7^/10

credential_access discovery persistence spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SmartIndex = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_8a65108aa7eaa180194ba54f27a4bb65.exe"	JaffaCakes118_8a65108aa7eaa180194ba54f27a4bb65.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5556-0-0x0000000000A30000-0x0000000000B7A000-memory.dmp	upx
behavioral2/memory/5556-3-0x0000000000A30000-0x0000000000B71000-memory.dmp	upx
behavioral2/memory/3224-4-0x0000000000A30000-0x0000000000B7A000-memory.dmp	upx
behavioral2/memory/3224-5-0x0000000000A30000-0x0000000000B7A000-memory.dmp	upx
behavioral2/memory/3224-6-0x0000000000A30000-0x0000000000B7A000-memory.dmp	upx
behavioral2/memory/3224-7-0x0000000000A30000-0x0000000000B7A000-memory.dmp	upx
behavioral2/memory/5556-8-0x0000000000A30000-0x0000000000B7A000-memory.dmp	upx
behavioral2/memory/5556-9-0x0000000000A30000-0x0000000000B71000-memory.dmp	upx
behavioral2/memory/5556-16-0x0000000000A30000-0x0000000000B7A000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1536	3224	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a65108aa7eaa180194ba54f27a4bb65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a65108aa7eaa180194ba54f27a4bb65.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 3224	3816	cmd.exe	90
PID 3816 wrote to memory of 3224	3816	cmd.exe	90
PID 3816 wrote to memory of 3224	3816	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a65108aa7eaa180194ba54f27a4bb65.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a65108aa7eaa180194ba54f27a4bb65.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a65108aa7eaa180194ba54f27a4bb65.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a65108aa7eaa180194ba54f27a4bb65.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a65108aa7eaa180194ba54f27a4bb65.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 516
    3⤵
    - Program crash
    PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3224 -ip 3224
1⤵
PID:6076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

2

T1555

Credentials from Web Browsers

1

T1555.003

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3224-4-0x0000000000A30000-0x0000000000B7A000-memory.dmp

Filesize
1.3MB

Download
memory/3224-5-0x0000000000A30000-0x0000000000B7A000-memory.dmp

Filesize
1.3MB

Download
memory/3224-6-0x0000000000A30000-0x0000000000B7A000-memory.dmp

Filesize
1.3MB

Download
memory/3224-7-0x0000000000A30000-0x0000000000B7A000-memory.dmp

Filesize
1.3MB

Download
memory/5556-0-0x0000000000A30000-0x0000000000B7A000-memory.dmp

Filesize
1.3MB

Download
memory/5556-1-0x00000000028C0000-0x00000000029AD000-memory.dmp

Filesize
948KB

Download
memory/5556-2-0x00000000029B0000-0x0000000002A27000-memory.dmp

Filesize
476KB

Download
memory/5556-3-0x0000000000A30000-0x0000000000B71000-memory.dmp

Filesize
1.3MB

Download
memory/5556-8-0x0000000000A30000-0x0000000000B7A000-memory.dmp

Filesize
1.3MB

Download
memory/5556-9-0x0000000000A30000-0x0000000000B71000-memory.dmp

Filesize
1.3MB

Download
memory/5556-16-0x0000000000A30000-0x0000000000B7A000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads