socelars | 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b

General

Target

abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe
Size

1.9MB
MD5

abf7e26171a76f84b7548c70e4211c7b
SHA1

ffd622d897d936d5abf2bde3ad9ffad669987ceb
SHA256

7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b
SHA512

0667bf7a70c2094fd5cb376de9a17a5dd66cfce32084276ea10011d80260a73f2ccf0ad3c0f8e35754fed09d9d3aaddd053cebad1581ae77db8c35c1cc3887e1
SSDEEP

49152:7cW4fJo1uk6WT2IT6kv/NOgEg9Yj9d+AGx5RsSwm:7X4xLk9T2G6E/Wd+lVsSwm

Score

10^/10

socelars discovery stealer upx

Malware Config

Extracted

Family

socelars

C2

http://www.createinfo.pw/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015d28-17.dat	upx
behavioral1/memory/2556-22-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2556-33-0x0000000000400000-0x0000000000541000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
2556	DiskScan.exe

Loads dropped DLL 9 IoCs

pid	Process
832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe
1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	2556	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	28
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	28
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	28
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	28
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	28
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	28
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	28
PID 1872 wrote to memory of 2556	1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp	29
PID 1872 wrote to memory of 2556	1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp	29
PID 1872 wrote to memory of 2556	1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp	29
PID 1872 wrote to memory of 2556	1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp	29
PID 2556 wrote to memory of 2608	2556	DiskScan.exe	30
PID 2556 wrote to memory of 2608	2556	DiskScan.exe	30
PID 2556 wrote to memory of 2608	2556	DiskScan.exe	30
PID 2556 wrote to memory of 2608	2556	DiskScan.exe	30

C:\Users\Admin\AppData\Local\Temp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\is-RIVFM.tmp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RIVFM.tmp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp" /SL5="$40112,1302781,816640,C:\Users\Admin\AppData\Local\Temp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
    "C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 664
      4⤵
      Loads dropped DLL
      Program crash
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-RIVFM.tmp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp

Filesize
2.5MB

MD5
066108c4b0102357ebdaf3791ba38fe8

SHA1
59e9e8043232169c0554e350c233433b0bc4c83c

SHA256
a720dd6efcd1910ea490c0095ff0efa36eb5228712e61294eeb4b3072715c035

SHA512
a2bb074f042d7214536083dfe341da9dafe1d170cf52e9c0f4ff0041f959d4a28cc6be9cb0e5ec3adf63188d658332b7440d6b5ac8e02af2801e7f34a04acad2

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe

Filesize
569KB

MD5
eab34089ba89eb30bab4d46d0d1d7c63

SHA1
676f13707c42ff4b0324ae9854096729f7541d0f

SHA256
13f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78

SHA512
c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e

Download Submit
memory/832-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/832-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/832-25-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1872-9-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download
memory/1872-20-0x00000000043D0000-0x0000000004511000-memory.dmp

Filesize
1.3MB

Download
memory/1872-24-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download
memory/2556-22-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2556-33-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing