lumma | cfed482a56459322e4ae214148847b6006dceaebc728160fa500f637c87d93d8

General

Target

f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe
Size

96KB
MD5

f9c59bdbba347bec2b0e2638ac205ff6
SHA1

eadac78e46d5e280d83a9235e385538aeb5e9e9e
SHA256

cfed482a56459322e4ae214148847b6006dceaebc728160fa500f637c87d93d8
SHA512

bfcbf5341ce6536cc68c7db8f74d152c34e31eb7fd374d0526ce0bdc2b07642ec33581d2dd5ffaa6361f528a3af32db60e32c85d7bd70b827c6a96f3414e608b
SSDEEP

1536:FUuqVmx1AJsF34AWIyQIxQpPih07qo6LR+6CBjXO1IK3hrDNljWbaSQVpv/C:SjVeWdoyhID7qoa+6CBK1IChrDNlxS

Score

10^/10

lumma stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\msgfix.exe	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 1 IoCs

Processes:

msgfix.exe

pid process

3000 msgfix.exe
Loads dropped DLL 2 IoCs

Processes:

f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe

pid process

1132 f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe
1132 f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe

pid	process
3000	msgfix.exe

pid	process
1132	f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe
1132	f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe

Drops file in System32 directory 23 IoCs

Processes:

msgfix.exef9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe	f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msgfix.exe	f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe
File created	C:\Windows\SysWOW64\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe\msgfix.exe	msgfix.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe

description	pid	process	target process
PID 1132 wrote to memory of 3000	1132	f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe	msgfix.exe
PID 1132 wrote to memory of 3000	1132	f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe	msgfix.exe
PID 1132 wrote to memory of 3000	1132	f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe	msgfix.exe
PID 1132 wrote to memory of 3000	1132	f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe	msgfix.exe

C:\Users\Admin\AppData\Local\Temp\f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9c59bdbba347bec2b0e2638ac205ff6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\msgfix.exe
  C:\Windows\system32\msgfix.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\msgfix.exe

Filesize
96KB

MD5
f9c59bdbba347bec2b0e2638ac205ff6

SHA1
eadac78e46d5e280d83a9235e385538aeb5e9e9e

SHA256
cfed482a56459322e4ae214148847b6006dceaebc728160fa500f637c87d93d8

SHA512
bfcbf5341ce6536cc68c7db8f74d152c34e31eb7fd374d0526ce0bdc2b07642ec33581d2dd5ffaa6361f528a3af32db60e32c85d7bd70b827c6a96f3414e608b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads