socelars | 4b1fa53e1acfb5a328d7af9a76809fe1277bd8d8a8cc43081607fc4929f6198e

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-03-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Size

1.4MB
MD5

37e859fdf2b248c9a753cc95ba6bb42a
SHA1

ea4110fdef55dfd969ca5ef7b56bfa321a6e4142
SHA256

4b1fa53e1acfb5a328d7af9a76809fe1277bd8d8a8cc43081607fc4929f6198e
SHA512

0dd39a6fcfbaf739032bd758016a5f8c72d59c6452559fb2141c87304e2bc4dd05cc9652dfe0209e6f986ab59790e1f329250eb30fc814ff4e7bf59ca0355d1a
SSDEEP

24576:ZxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX3jZ10:jpy+VDa8rtPvX3jZy

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
14	iplogger.org
15	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
928	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exetaskkill.exe

description	pid	Process
Token: SeCreateTokenPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeTcbPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeSecurityPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeBackupPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeRestorePrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeShutdownPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeDebugPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeAuditPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeUndockPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: 31	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: 32	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: 33	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: 34	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: 35	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeDebugPrivilege	928	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.execmd.exe

description	pid	Process	procid_target
PID 1256 wrote to memory of 788	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe	30
PID 1256 wrote to memory of 788	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe	30
PID 1256 wrote to memory of 788	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe	30
PID 1256 wrote to memory of 788	1256	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe	30
PID 788 wrote to memory of 928	788	cmd.exe	32
PID 788 wrote to memory of 928	788	cmd.exe	32
PID 788 wrote to memory of 928	788	cmd.exe	32
PID 788 wrote to memory of 928	788	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
867b3074f6aaafee27d5e61f389f075e

SHA1
d938914ce03b3d6f15906a9bbb9f35d1e3926c3a

SHA256
9d925fbe6162258894575b86abce6ed39166fd0c92c8ea46ae42e3a347d564e0

SHA512
e96dff904d2b7e95b458f0ede7f65f29f8dc550d53daaa0da81a91fef223f3ba9bb5d2fe8198e650236e1b768c2997fee257daa0a6e9476f49848e93ff99086d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab58CC.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar59FB.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit