e38e8f8467a8845fb9d5866978cbce73d97461332cf17c474d645085596c7ecf

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 12:41

Target

0537397ea0be5a2aa0ec0ec909866141_JaffaCakes118.exe
Size

567KB
MD5

0537397ea0be5a2aa0ec0ec909866141
SHA1

c554bed1c90099a95e0ee85652c9352746b0d799
SHA256

e38e8f8467a8845fb9d5866978cbce73d97461332cf17c474d645085596c7ecf
SHA512

4d841d8dbe10c83b7e5d680aa8012d63b6fe50d1d6101845f735a7251e90eead95b6c55dad172d0518da03bd4f006c145a48fd37ee5b10ff875327a5fd0ff9d0
SSDEEP

12288:D9x7fKJCO7VJa/T+eYVKW6UsdJ8TNDvcOgAmk0s+z28xuc7oti/ENokKW0DG:D/fH0gdYV7gX8TNVyz28gcjENokJ0DG

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0537397ea0be5a2aa0ec0ec909866141_JaffaCakes118.exe

description	pid	process	target process
PID 2752 wrote to memory of 1092	2752	0537397ea0be5a2aa0ec0ec909866141_JaffaCakes118.exe	cmd.exe
PID 2752 wrote to memory of 1092	2752	0537397ea0be5a2aa0ec0ec909866141_JaffaCakes118.exe	cmd.exe
PID 2752 wrote to memory of 1092	2752	0537397ea0be5a2aa0ec0ec909866141_JaffaCakes118.exe	cmd.exe
PID 2752 wrote to memory of 1092	2752	0537397ea0be5a2aa0ec0ec909866141_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0537397ea0be5a2aa0ec0ec909866141_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0537397ea0be5a2aa0ec0ec909866141_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\541.bat
2⤵
PID:1092

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\541.bat

Filesize
177B

MD5
6e408b1df6f5a35959ddb3ec406cf5d7

SHA1
696bda4239d8564c5499b34c8aeebb150cf5ec76

SHA256
866a4b7b56cf344a7431db7894fae98d609e7b7f0e61f7def016d955abe99eba

SHA512
f2a2082051d0f5f99309ad10a954ba8eedbe39ed29c70b3971c767d003d72eda06a7b23b3e6a70a6b3183fd616a9ea1e0380496891ff0fef7096f5a6c4ac8678

Download Submit
C:\Users\Admin\AppData\Local\Temp\803661.exe

Filesize
567KB

MD5
0537397ea0be5a2aa0ec0ec909866141

SHA1
c554bed1c90099a95e0ee85652c9352746b0d799

SHA256
e38e8f8467a8845fb9d5866978cbce73d97461332cf17c474d645085596c7ecf

SHA512
4d841d8dbe10c83b7e5d680aa8012d63b6fe50d1d6101845f735a7251e90eead95b6c55dad172d0518da03bd4f006c145a48fd37ee5b10ff875327a5fd0ff9d0

Download Submit
memory/2752-0-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download