6a941f71a46616aa978e96ebd18f3fcab014d93ee531ce671dd8f24dd4ecce4a

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe
Size

199KB
MD5

f9783930fc42d414f98315fad2fafca0
SHA1

3bb48c191418ee8776f2860460001cc0496c2ee6
SHA256

6a941f71a46616aa978e96ebd18f3fcab014d93ee531ce671dd8f24dd4ecce4a
SHA512

7c0a739b7d8c57f9cc3dae99dff045f149ff218f0c451bc78ebbbcf9914a63cb132a2dca5dd1fa7dae67c853401b150bb7b8fe7b45c3d0bed0ffed04b7a93426
SSDEEP

6144:lvW7ntBa5S49H99P4x0Mz0rtGeBhz0pI:k7kS4x9h4x0RGeBSC

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4256-1-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1900-13-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4256-43-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1256-107-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4256-188-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 1900	4256	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	86
PID 4256 wrote to memory of 1900	4256	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	86
PID 4256 wrote to memory of 1900	4256	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	86
PID 4256 wrote to memory of 1256	4256	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	87
PID 4256 wrote to memory of 1256	4256	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	87
PID 4256 wrote to memory of 1256	4256	f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f9783930fc42d414f98315fad2fafca0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\59D0.F0C

Filesize
996B

MD5
d1690604eb28cf776d444f059aa9b8d4

SHA1
cebdf51088bdfc90b467be68205793d5933d5bd2

SHA256
3322e7f6835504200fbde7c48634d8d4986ae7d39d54e8958f8fc5c5f93f053a

SHA512
d609fb344c0f636b9593a603695309b8eb27f7b541bf77ad5f55589664197c019da68b8ed0b8db7ede79214ad756e4e915ddd2f70d218fec59d1722c69d7babf

Download Submit
C:\Users\Admin\AppData\Roaming\59D0.F0C

Filesize
600B

MD5
af7e958105a876dac16806363b8e2965

SHA1
2290d2ff69100c09bb7e3135e3ec72880aa7285f

SHA256
596c0fa8cce419ec490ab43de29e454a22871a1b4045262499458e0da4c186c6

SHA512
566625855e08a064427f6b8cb68404dbc352c99130493290cdfb230a71b3edd1d864bb6bdd3fc9df865588051dc0b092d3a14b81fa932baa559bd39524200065

Download Submit
C:\Users\Admin\AppData\Roaming\59D0.F0C

Filesize
1KB

MD5
fb342562010c3adfb3c01ae8749940c7

SHA1
cae33ce43db799a318b94e43ad2f955516211bee

SHA256
cde999fa777a08ba5d75d8f1efd0d2be9287b467390609ebbbf51f114cbeaef4

SHA512
7baca75ca43e3aff58b1f1c57c07eb746d91a15161c9e7bbde8f7b5b4f614bf9efcd914d2a3f2552655e7e776dbdb0dfa022426b9a6f443547b5a7eea879bdd5

Download Submit
memory/1256-107-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1900-12-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1900-13-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4256-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4256-2-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/4256-43-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4256-109-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/4256-188-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download