6a941f71a46616aa978e96ebd18f3fcab014d93ee531ce671dd8f24dd4ecce4a

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe
Size

199KB
MD5

f9783930fc42d414f98315fad2fafca0
SHA1

3bb48c191418ee8776f2860460001cc0496c2ee6
SHA256

6a941f71a46616aa978e96ebd18f3fcab014d93ee531ce671dd8f24dd4ecce4a
SHA512

7c0a739b7d8c57f9cc3dae99dff045f149ff218f0c451bc78ebbbcf9914a63cb132a2dca5dd1fa7dae67c853401b150bb7b8fe7b45c3d0bed0ffed04b7a93426
SSDEEP

6144:lvW7ntBa5S49H99P4x0Mz0rtGeBhz0pI:k7kS4x9h4x0RGeBSC

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1644-1-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2520-12-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1476-77-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1644-78-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1644-184-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2520	1644	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	28
PID 1644 wrote to memory of 2520	1644	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	28
PID 1644 wrote to memory of 2520	1644	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	28
PID 1644 wrote to memory of 2520	1644	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	28
PID 1644 wrote to memory of 1476	1644	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	30
PID 1644 wrote to memory of 1476	1644	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	30
PID 1644 wrote to memory of 1476	1644	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	30
PID 1644 wrote to memory of 1476	1644	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DB14.F6A

Filesize
600B

MD5
3c7cee2f29c692765001c1a93497b929

SHA1
9a33110f0235b93c04a9a1dc6ffe1b0b701cfcb3

SHA256
26c3bf3a7d4041b618a5ccd1be5c3c5691672b2590620b1c740f05484f45a28e

SHA512
773a7635b1986baecd7098764328c74208dab84827b8ce9f6dfe0208c760ffb3d4776c88e975fd7e06632c4094bce1bd8f11dba3325c6cebae0e8ddd7ea35285

Download Submit
C:\Users\Admin\AppData\Roaming\DB14.F6A

Filesize
1KB

MD5
5b09e1f81e34c3276e1be07eabedd637

SHA1
39d82ab1ab33ea7d40e5d090552211b26aeacd30

SHA256
178be4cdc2ca86e16fb6011fe1b681f3ae027831e5ba9f6b9c37d98a43b31a54

SHA512
4c1db758ce549742b5d1401bea53f87004c017187f9b4cea2dbf10a68ad4163f0a7d0e2af8efc128270a63bd50ceee9d02ea43b1a47d0a64b90736aa594652d1

Download Submit
C:\Users\Admin\AppData\Roaming\DB14.F6A

Filesize
996B

MD5
59ecc000120aa2de9840466f271db0c7

SHA1
576d5373cf9b7aa7e0dbfd4cafd73973654d6034

SHA256
72ab3d86299f3466c12310cb6ec6eb45fcc7a7dbbb4756914041d9b012815069

SHA512
007dc297f29c30211d28c1af6f9906390b9767b2c4c7a5c9661767e2d4837a29dcf1f55395ddf0686e0860191ce4b85b0019de6030370f47200afab42cb634b9

Download Submit
memory/1476-77-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1476-79-0x000000000058D000-0x00000000005AB000-memory.dmp

Filesize
120KB

Download
memory/1644-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1644-2-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/1644-78-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1644-80-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/1644-184-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2520-13-0x000000000033D000-0x000000000035B000-memory.dmp

Filesize
120KB

Download
memory/2520-12-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download