e2d02f56474f24a255c62ba5d23bfb9fbd9c05f421b2f6c3367ea16e82585a53

Analysis

max time kernel
142s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe
Size

181KB
MD5

f583af0d0edf526f7193c730ec90e8e7
SHA1

88785c5e23726762fb3be19957ad44de9902b71c
SHA256

e2d02f56474f24a255c62ba5d23bfb9fbd9c05f421b2f6c3367ea16e82585a53
SHA512

8db54fe2f78ed6e9c38989e45d4edc893414ed75fd2e1de3b0ada735e9bce1de86a78229eaa31e715aa991f6fc898768abfee690165e43135f5090cf472390b0
SSDEEP

3072:3+v3HUVBjoAnn5ccD6OW6idPwHr5uib8hB9CRHoP5FE7PLs/6bFmp7ASf7:3+v30VBECjdoW8g8TqoqLvbFy0SD

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2344-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3204-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2344-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4524-109-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4524-111-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2344-263-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3204	2344	f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe	91
PID 2344 wrote to memory of 3204	2344	f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe	91
PID 2344 wrote to memory of 3204	2344	f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe	91
PID 2344 wrote to memory of 4524	2344	f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe	92
PID 2344 wrote to memory of 4524	2344	f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe	92
PID 2344 wrote to memory of 4524	2344	f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe startC:\Program Files (x86)\LP\D334\3AD.exe%C:\Program Files (x86)\LP\D334
  2⤵
  PID:3204
- C:\Users\Admin\AppData\Local\Temp\f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f583af0d0edf526f7193c730ec90e8e7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\46E21\A6AD3.exe%C:\Users\Admin\AppData\Roaming\46E21
  2⤵
  PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\46E21\1B09.6E2

Filesize
996B

MD5
db4283924be830bebeb05991e9ad4abe

SHA1
3403d9fc8980573d2b122ee009b7c8d7e3dbd1b4

SHA256
7f0d0da42e3aadbb4bb8740f50170832274eb4ef57df8070b8ad18c7ddf86283

SHA512
afd50749b222821b37a04ba6d4676667d485ef7a503e75f68231787eb632ffe622ea7a4a5f61e16092375e425eedd96949e9b03a008d0df56a0108c1b12a820d

Download Submit
C:\Users\Admin\AppData\Roaming\46E21\1B09.6E2

Filesize
600B

MD5
6bbcb6fa3951b8896d6530bb6804d45b

SHA1
3f519b140548bb4988addde7279a9150192da474

SHA256
fbe497fac396a208f79266c4ddc08476c7d8bce48ac021a8df156d962784f346

SHA512
0d3943dacf56448494065220f744c8e15bc030ac60c04fd19350be4cd81ded080ffdf157e7de300eb3d35e1b56e919207c6398f47799f400e074d453aaaf76c7

Download Submit
C:\Users\Admin\AppData\Roaming\46E21\1B09.6E2

Filesize
1KB

MD5
4e31293ae65a1ed18c079bf951506a70

SHA1
67c69fcbfe63c6cf52a89e2b3da593a2a01a6057

SHA256
be66dc568c48c81b527ad94d2198e8cfc91fb48a56ed81ecd3f80a8f5b1c17f1

SHA512
453057ea30152806f98d8689b6696091f60ae12d4f91334decfb41231a42a70fba74570256d89d08daffce3cf3ad3d1988446ac4da0ca448234c2ac59b7e9e12

Download Submit
memory/2344-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2344-3-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/2344-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2344-263-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2344-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2344-212-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/3204-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3204-14-0x0000000000586000-0x000000000059F000-memory.dmp

Filesize
100KB

Download
memory/4524-111-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4524-110-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/4524-109-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download