poullight | 70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 18:38

Target

afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe
Size

92KB
MD5

afd0fd73b658168e31480fa3f0fef267
SHA1

a2579217dd963ac5a5d474bac08085c632124cfe
SHA256

70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2
SHA512

d773200722ce9f3cd2fa15dfca5d18368b3df6d2cb70a62e8d4f251a1228b253fdf2ecaeb457c1a7192e328686ee385c55246ebc48fed68231c518602c689c4a
SSDEEP

1536:7cGDF4pwt9RRnllg3VsH/KPqRwmcUet/s7wOHUN4ZKBvfdcPJvh90:IGDARVsH/KPq6mDELO0Ogw0

Score

10^/10

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2188-0-0x000002BE392D0000-0x000002BE392EE000-memory.dmp	family_poullight

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe

pid process

2188 afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe
2188 afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2188 afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe

pid	process
2188	afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe
2188	afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2188	afd0fd73b658168e31480fa3f0fef267_JaffaCakes118.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\Users\Admin\AppData\Local\Temp\1tnaxoasmetjh2htl
Filesize
100KB

MD5
bfbf67a3ad4b5c0f7804f85d1f449a80

SHA1
110780a35d61de23b5fcb7b9e75a3ed07deb7838

SHA256
2a38ab429847061aa3c614982e801e2e7139977a227466ce5ee61fa382a2bc2e

SHA512
77bd3011b5d0074af16b93a5ab1967379a0a032bbf43c1e7b6ef205aeb27454e079c94e419bea6f7d730dc84b632e44250203a508fcdcd864ada9888381f4fdd

Download Submit
memory/2188-0-0x000002BE392D0000-0x000002BE392EE000-memory.dmp

Filesize
120KB

Download
memory/2188-1-0x00007FFB82733000-0x00007FFB82735000-memory.dmp

Filesize
8KB

Download
memory/2188-2-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp

Filesize
10.8MB

Download
memory/2188-4-0x000002BE53800000-0x000002BE5380A000-memory.dmp

Filesize
40KB

Download
memory/2188-27-0x000002BE54CF0000-0x000002BE54EB2000-memory.dmp

Filesize
1.8MB

Download
memory/2188-30-0x000002BE553F0000-0x000002BE55918000-memory.dmp

Filesize
5.2MB

Download
memory/2188-46-0x000002BE53C80000-0x000002BE53C92000-memory.dmp

Filesize
72KB

Download
memory/2188-75-0x00007FFB82733000-0x00007FFB82735000-memory.dmp

Filesize
8KB

Download
memory/2188-76-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp

Filesize
10.8MB

Download