c9f37df04217a31cf0bc0af31156ba661ee58d5fea8ebeac0adf78da57d5c8f4

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a6dc25560726472c8822559503cb828_JaffaCakes118.exe
Size

209KB
MD5

0a6dc25560726472c8822559503cb828
SHA1

085497801e85f73779d280804ece006e7b1e1caf
SHA256

c9f37df04217a31cf0bc0af31156ba661ee58d5fea8ebeac0adf78da57d5c8f4
SHA512

a843a6db1899ef44d4a7ebc718ad36c9e1ae148dd1ce527021166a0eeca214edbb134e00a7fdbfced9d078c8ffd4837f4ed8ea52cef7ed231ec81a0d882ab789
SSDEEP

3072:AIfLOGdQyTP591doS12Na+SbLkyREmEgqdUZ+FkdrwcOyuF5mq/zN96Ss:3TP53doIfFKHndPkJw5ye5PN9Ds

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2960-1-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1752-4-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2960-14-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2992-82-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2960-159-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1752	2960	0a6dc25560726472c8822559503cb828_JaffaCakes118.exe	28
PID 2960 wrote to memory of 1752	2960	0a6dc25560726472c8822559503cb828_JaffaCakes118.exe	28
PID 2960 wrote to memory of 1752	2960	0a6dc25560726472c8822559503cb828_JaffaCakes118.exe	28
PID 2960 wrote to memory of 1752	2960	0a6dc25560726472c8822559503cb828_JaffaCakes118.exe	28
PID 2960 wrote to memory of 2992	2960	0a6dc25560726472c8822559503cb828_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2992	2960	0a6dc25560726472c8822559503cb828_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2992	2960	0a6dc25560726472c8822559503cb828_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2992	2960	0a6dc25560726472c8822559503cb828_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0a6dc25560726472c8822559503cb828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a6dc25560726472c8822559503cb828_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\0a6dc25560726472c8822559503cb828_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0a6dc25560726472c8822559503cb828_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\0a6dc25560726472c8822559503cb828_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0a6dc25560726472c8822559503cb828_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\377C.84E

Filesize
600B

MD5
894cd34859bd25c3f1ecda900f12007b

SHA1
6ac8cf9e9b9a9b400087e67179744f94832175e2

SHA256
619b214fa038e99541d75c7538355c8752d9c045d44c617ba40556afb87a755b

SHA512
8e64c2192f9b73a9ffbf465a2965675e114b176e184f92b09ff744d7a6f643b2accccc8309d5af154f3d166c48a76059e1796be3ed4eee72ce950925fa005881

Download Submit
C:\Users\Admin\AppData\Roaming\377C.84E

Filesize
1KB

MD5
a8ccae826486206ceb3c625850c84e9a

SHA1
5b06ed9ef18fd0857934ebecb5e93035c80a4014

SHA256
70d4a76eacf80b98ffdc1e095730ed6f670711a011b83d9d2cd496d50beb9070

SHA512
912f043586d4508ba351f5c34104e2d26170e4ab909e8b54ac897d1e078061aa4eb8fbfc94ebe0d6e5798538434f64795e3ad6a84d88a08f55d371681adbc1c0

Download Submit
memory/1752-4-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1752-5-0x0000000000598000-0x00000000005C9000-memory.dmp

Filesize
196KB

Download
memory/2960-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2960-14-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2960-159-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2992-82-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2992-83-0x0000000000516000-0x0000000000547000-memory.dmp

Filesize
196KB

Download