f03500abcd68771c376bd47e8939b9fa53b0fe1195786fcfad36c6d5fad57ec6

General

Target

08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe
Size

177KB
MD5

08c8692cdc6b983b2e173c80567585e2
SHA1

8c81ec4a3895440f79ddb1e076f22c8361944944
SHA256

f03500abcd68771c376bd47e8939b9fa53b0fe1195786fcfad36c6d5fad57ec6
SHA512

497a158df265d6d9c9e0adaafe57b3b108bab9d016c5284476c593f4f5461d375624fd412e317f202a7473fb7a818d1ac7185bf0cf3ae492805b5326856ebe03
SSDEEP

3072:c215dgfPPJjaQ7JZVBGldlIzc6SBCuW7JiZuuP1AfSc5C2kHX:wnBys/i1AiZuuP1AKcQ2kHX

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1700-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2832-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2832-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1700-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2172-138-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1700-239-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1700-302-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2832	1700	08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2832	1700	08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2832	1700	08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2832	1700	08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2172	1700	08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe	30
PID 1700 wrote to memory of 2172	1700	08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe	30
PID 1700 wrote to memory of 2172	1700	08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe	30
PID 1700 wrote to memory of 2172	1700	08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe startC:\Program Files (x86)\LP\AD87\878.exe%C:\Program Files (x86)\LP\AD87
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\08c8692cdc6b983b2e173c80567585e2_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\75E38\ACFAD.exe%C:\Users\Admin\AppData\Roaming\75E38
  2⤵
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\75E38\8680.5E3

Filesize
996B

MD5
f321cbf27bd7d519795a93c55b329ebc

SHA1
2c86aaa3991c91edc7c796d34a3d0c9c9ad44990

SHA256
e33fa284fbea2ee840da41b9805483cc9680f6f74e60d97d9103b87b9feaef3a

SHA512
e6f4b4243e169aecf1a0476176d5e91a5559ad45437ebe782f6e93c22fb98ca389f0cf05a6e3d8ff976f330941f413b61582705d5e8c8ef48eca40e2686e6258

Download Submit
C:\Users\Admin\AppData\Roaming\75E38\8680.5E3

Filesize
600B

MD5
37b742f93adecdd87b6ca8c4470fcc4b

SHA1
7c5d3105e217d397d97b08af6eddcbc1ba9c1b26

SHA256
db6b14a59d66cdb4265a6c1d2cfe416d59066f6d0e479f4bdcb31483c4835000

SHA512
e4dd27659c68ddba16ed3ea72b69ec764d8c9f4a0ce6069700681f09d018d9dd80f079aec57c012e7f0bcb6260eede3f495f878e6553834a4d96f852b4ed816a

Download Submit
C:\Users\Admin\AppData\Roaming\75E38\8680.5E3

Filesize
1KB

MD5
f902485323639d239e6d80b69ab3323f

SHA1
9b510a443b71e1fbcee2bd8ae5d2120d82612bdc

SHA256
0d7c67e5ea273b77c8aad24ce522d3900c0db7aa24c25ff5d640a8a8bca78804

SHA512
269c6178bb588959b0eaee58fa7048e7af85dd4dbb57d83e1d4df437d6c9d0f2bee2a8f704f111cace4dabb9f6bbd27c350f87880b6d724ef23dadeb13cad7e7

Download Submit
memory/1700-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1700-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1700-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1700-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1700-239-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1700-302-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2172-138-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2832-15-0x00000000002FB000-0x000000000030D000-memory.dmp

Filesize
72KB

Download
memory/2832-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2832-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing