Analysis Overview
SHA256
297f5728b2745385894404fb56f2bdb83f6565cf74aafcc101c372022af152c6
Threat Level: Known bad
The file 9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Poullight Stealer payload
Poullight family
Poullight
Reads user/profile data of web browsers
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:13
Signatures
Poullight Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Poullight family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:13
Reported
2024-06-04 00:16
Platform
win7-20240221-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Poullight
Poullight Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f0427103.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
Files
memory/1652-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp
memory/1652-1-0x0000000001310000-0x0000000001330000-memory.dmp
memory/1652-2-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qwmzlrvf-k
| MD5 | cca646afddab881d02bb60864ff72e23 |
| SHA1 | 25b462e62a0219857cc854f6433e8acea77e3dbc |
| SHA256 | c7223e5de0b0db22b3e193b2d48215816c75472ccdf9330a0ab66d4731b2e49e |
| SHA512 | c35da6cfe5e4a3f887a876b38b4e5b9e6d5c035cf8d6f20158f89ee14a196941fd6a29faa1f90f64cd253556536670773ec15cd358014d994483a8745c41587d |
memory/1652-74-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp
memory/1652-75-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 00:13
Reported
2024-06-04 00:16
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Poullight
Poullight Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f0427103.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| US | 8.8.8.8:53 | 42.197.8.141.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0427103.xsph.ru | tcp |
Files
memory/2264-0-0x000001EC46360000-0x000001EC46380000-memory.dmp
memory/2264-1-0x00007FFA85653000-0x00007FFA85655000-memory.dmp
memory/2264-2-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/2264-4-0x000001EC480A0000-0x000001EC480AA000-memory.dmp
memory/2264-29-0x000001EC61A50000-0x000001EC61C12000-memory.dmp
memory/2264-32-0x000001EC62150000-0x000001EC62678000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cz8rwivq
| MD5 | 9df444e0de734921d4d96deeeac4b16e |
| SHA1 | 31542622ecf896b93d830e21595091aef8742901 |
| SHA256 | 1d324d34d58165aca7dbf057a7417457776b4e805d60182401a9275fb7920900 |
| SHA512 | 2de6a0ac09b7a1a21cda31e49c072b097ca1959814c535920a099a9df87e993ba2dfd6cebcb8ec2110efca385bb618f771258575a06736afcfd6cd40a8e1a957 |
memory/2264-49-0x000001EC609B0000-0x000001EC609C2000-memory.dmp
memory/2264-80-0x000001EC609D0000-0x000001EC609F4000-memory.dmp
memory/2264-82-0x00007FFA85653000-0x00007FFA85655000-memory.dmp
memory/2264-83-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/2264-84-0x000001EC609D0000-0x000001EC609F4000-memory.dmp
memory/2264-94-0x000001EC609D0000-0x000001EC609F4000-memory.dmp