socelars | 63b27757379ae97b85007c26ac18b83f69edfed179544359eb92ff1d23803492

General

Target

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe
Size

1.9MB
MD5

18314d37e862d5c24f7f7d0f04bb9a09
SHA1

0c7156e2c3e336d14f87c8815fd9516496e6e53e
SHA256

63b27757379ae97b85007c26ac18b83f69edfed179544359eb92ff1d23803492
SHA512

3358fbb2d3cc862cdd7e414d647fc243c6df260380610a004a9151cf02f3649c7c6a80da2a418e43b4b8a941da2ac10a6d292b533b32ae15bfe67ad20e384eaf
SSDEEP

24576:1TfEWQMHi9jzdDnA0Hse37/kf+lsEmYmHfAlOFpe8Qk+Th/De:JcW4fWiL8g7m5Al98uTBK

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

C2

http://www.zhxxjs.pw/Info/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Executes dropped EXE 2 IoCs

Processes:

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmpDiskScan.exe

pid	Process
2820	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp
2512	DiskScan.exe

Loads dropped DLL 6 IoCs

Processes:

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmpWerFault.exe

pid	Process
2224	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe
2820	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2576	2512	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

pid	Process
2820	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp
2820	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

pid	Process
2820	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmpDiskScan.exe

description	pid	Process	procid_target
PID 2224 wrote to memory of 2820	2224	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2820	2224	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2820	2224	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2820	2224	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2820	2224	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2820	2224	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2820	2224	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe	28
PID 2820 wrote to memory of 2512	2820	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp	29
PID 2820 wrote to memory of 2512	2820	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp	29
PID 2820 wrote to memory of 2512	2820	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp	29
PID 2820 wrote to memory of 2512	2820	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp	29
PID 2512 wrote to memory of 2576	2512	DiskScan.exe	30
PID 2512 wrote to memory of 2576	2512	DiskScan.exe	30
PID 2512 wrote to memory of 2576	2512	DiskScan.exe	30
PID 2512 wrote to memory of 2576	2512	DiskScan.exe	30

C:\Users\Admin\AppData\Local\Temp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\is-QEC79.tmp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QEC79.tmp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp" /SL5="$400EE,1255067,809984,C:\Users\Admin\AppData\Local\Temp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
    "C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 660
      4⤵
      Loads dropped DLL
      Program crash
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe

Filesize
1.1MB

MD5
7c45d6bb1ad157b2a1bcf846a70cf28e

SHA1
3093930da264cd169880d92acfd739750adde40c

SHA256
9de4dd12e31445a073c04c64731676ebde5850fb7ffee5463cf398142c824c71

SHA512
5af94e470a8e713bba3e24a08f47ea2cc6935acaf95afabf90cea71bb26cd0c860ed4d81bd0168cf3533c9d248eb883fa1d6cb982f7fafc1db908116b7b96192

Download Submit
\Users\Admin\AppData\Local\Temp\is-QEC79.tmp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
memory/2224-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2224-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2224-24-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2820-9-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/2820-23-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads