socelars | 19016f6046c546c36eecab64a02330915059a71931fb6ccc1ab057d4805ba7db

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Size

1.4MB
MD5

c447cdb7f9d41f5f754a696ffd1acc8c
SHA1

d4b47106964860921625a1ef8406cf2a6f69199d
SHA256

19016f6046c546c36eecab64a02330915059a71931fb6ccc1ab057d4805ba7db
SHA512

22415dd83fabde64033d5c8b7bd7da08b6b5683becc63cd214222b8580a36157bbd323a5a82edc62489198c6e7265d8d7c0b77e6ec09c70917c29e7daa25baef
SSDEEP

24576:CxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX3fZ1Fsa:ipy+VDa8rtPvX3fZ/s

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	iplogger.org
11	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2168	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeTcbPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeSecurityPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeBackupPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeRestorePrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeShutdownPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeDebugPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeAuditPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeUndockPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: 31	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: 32	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: 33	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: 34	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: 35	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeDebugPrivilege	2168	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2696	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe	29
PID 2756 wrote to memory of 2696	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe	29
PID 2756 wrote to memory of 2696	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe	29
PID 2756 wrote to memory of 2696	2756	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe	29
PID 2696 wrote to memory of 2168	2696	cmd.exe	31
PID 2696 wrote to memory of 2168	2696	cmd.exe	31
PID 2696 wrote to memory of 2168	2696	cmd.exe	31
PID 2696 wrote to memory of 2168	2696	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2ABA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2BF9.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit