d11d6f31d9a4924d3343cbea0d4a6bdb6d75ba51b5da7bd26e08faa43fa9fce1

General

Target

JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe
Size

158KB
MD5

9a5e537d9eea6f0e26eedc68fa240ec4
SHA1

892cc8474e42eaf3094d11e8f302ed7cdb5162ad
SHA256

d11d6f31d9a4924d3343cbea0d4a6bdb6d75ba51b5da7bd26e08faa43fa9fce1
SHA512

2edc80de6b3cb310c8bdacb2f7b484ea40df8f0c0d5b747da2cab7aee0fc7a5647eb702c02cc257dc6a8f908f06c84ad81161dd594abf5dc375b043a39192856
SSDEEP

3072:kRnLy8MWmJoOqteZmhVa32ippS3XrGY0OSSuP6mX7vv/ohiLlu9JR8:kp7OqvV+2ippSHrG7jt6CH/ohD6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1092	cmtowgosvx.exe

Loads dropped DLL 3 IoCs

pid	Process
5292	JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe
5292	JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe
5292	JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MediaAccumulativeCodec\install.ico	JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe
File created	C:\Program Files (x86)\MediaAccumulativeCodec\cmtowgosvx.exe	JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe
File created	C:\Program Files (x86)\MediaAccumulativeCodec\imex.bat	JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe
File created	C:\Program Files (x86)\MediaAccumulativeCodec\MediaAccumulativeCodec.ocx	JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmtowgosvx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5292 wrote to memory of 5804	5292	JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe	95
PID 5292 wrote to memory of 5804	5292	JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe	95
PID 5292 wrote to memory of 5804	5292	JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe	95
PID 5804 wrote to memory of 1092	5804	cmd.exe	97
PID 5804 wrote to memory of 1092	5804	cmd.exe	97
PID 5804 wrote to memory of 1092	5804	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c imex.bat /s
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\cmtowgosvx.exe
    C:\Users\Admin\AppData\Local\Temp\cmtowgosvx.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MediaAccumulativeCodec\cmtowgosvx.exe

Filesize
148KB

MD5
a629b217630fbf5212b8fb8dbc387a81

SHA1
b65e9b0e2d2de421d112e2ef7a56b720f3d4caab

SHA256
01b736b2f0dd653d7103e68e7d9c1dbb34778ac0a71754c24f9f6094fc4d5558

SHA512
28a53d8ea9c31627e474f77d71d4561136f11e8de233012f6557a6ed80dae4b0aabbf1a7d5fd9ac93b44c62aec1b0cd1e759d668b7d8f5f88f8e12ee13acf0a6

Download Submit
C:\Program Files (x86)\MediaAccumulativeCodec\imex.bat

Filesize
100B

MD5
662f48a1d7bbabb99de8b51e2465c9b8

SHA1
fe31c2868143478f539fba398de93dfe93d2e82a

SHA256
28f86e44da62a09ce91f8adec29263a667a50a2520a9134c09f669a6c2ef84c2

SHA512
a1b2b8ea9dc6f0a262f81cc80f52b2d2066ae9443c89759c8c1792020d933974e887ba343d861fd214170cd3227290c5da8ccad873e899ee5ca209b997fdbaff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBEDD.tmp\NSISdl.dll

Filesize
14KB

MD5
a5b84d250794433db5a2d26f34699dd9

SHA1
bc06abccf6a4783973ec11b6766b43b4a265820c

SHA256
96f3357a024c549d7cb9e6447b1a56a2a8029b4f12e6e597428e68620761c5e0

SHA512
121d67f85a24096799ed913dccb64ef65d9479f98a6d88c2a0e05f05a65f460d557c5fdfe2c42a0a61b9cbaedd9b7031978111a2713250a89848ab4f3bb4ce84

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBEDD.tmp\System.dll

Filesize
10KB

MD5
7d85b1f619a3023cc693a88f040826d2

SHA1
09f5d32f8143e7e0d9270430708db1b9fc8871a8

SHA256
dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18

SHA512
5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

Download Submit
memory/1092-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1092-19-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/1092-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1092-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1092-21-0x0000000000401000-0x0000000000424000-memory.dmp

Filesize
140KB

Download
memory/1092-22-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/1092-24-0x0000000000401000-0x0000000000424000-memory.dmp

Filesize
140KB

Download
memory/1092-23-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing