poullight | 70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 18:38

Target

afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe
Size

92KB
MD5

afd0fd73b658168e31480fa3f0fef267
SHA1

a2579217dd963ac5a5d474bac08085c632124cfe
SHA256

70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2
SHA512

d773200722ce9f3cd2fa15dfca5d18368b3df6d2cb70a62e8d4f251a1228b253fdf2ecaeb457c1a7192e328686ee385c55246ebc48fed68231c518602c689c4a
SSDEEP

1536:7cGDF4pwt9RRnllg3VsH/KPqRwmcUet/s7wOHUN4ZKBvfdcPJvh90:IGDARVsH/KPq6mDELO0Ogw0

Score

10^/10

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/468-1-0x0000000000990000-0x00000000009AE000-memory.dmp	family_poullight

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
468	afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe
468	afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	468	afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\ww3nsua0uid05xhgptg

Filesize
92KB

MD5
f5582ab8cd4909e3531c32d3a28f156e

SHA1
40402c9af7fcff602e5efb662a08a3577b019379

SHA256
da23680ac69b11618f023c43695198e3ab7ace6b831fd2e189d81d15aa333ad6

SHA512
1f1a3bf4b03621518013f064c777e56eb6594e53e39e589f7c274993cc188c3b800986a5d6b15131e64c3b76b74af7d68ef43ae29794db0b8e3ec9862382195f

Download Submit
memory/468-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

Filesize
4KB

Download
memory/468-1-0x0000000000990000-0x00000000009AE000-memory.dmp

Filesize
120KB

Download
memory/468-2-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/468-75-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

Filesize
4KB

Download
memory/468-76-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download