3df271825234e407231ed8918b9335fe5c195350e51c8132219087752b21fd13

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

169b05317940f90150c968949ef61fe5_JaffaCakes118.exe
Size

171KB
MD5

169b05317940f90150c968949ef61fe5
SHA1

8b7d2faa5320429ea889c6dd975060e31d1686bb
SHA256

3df271825234e407231ed8918b9335fe5c195350e51c8132219087752b21fd13
SHA512

95c21f20453b20e3b5ccf292b092e7e589811c84f3cbc8fc9b5cc5e134439962e7f010230bc0089d9c797b6045b5492873ded380e3c79867be736634a0e3d4ea
SSDEEP

3072:xv/mjWtE3zyOFtGBlK6uBpxg3e/KzW4vhsNGkBdw0WjHj08cvpOT4u9L4ERwxsW1:lOq6zVfpZKzFifQjGpbu1xREsF6

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2284-1-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2284-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2760-6-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2284-67-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2424-76-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2424-78-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2284-149-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2760	2284	169b05317940f90150c968949ef61fe5_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2760	2284	169b05317940f90150c968949ef61fe5_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2760	2284	169b05317940f90150c968949ef61fe5_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2760	2284	169b05317940f90150c968949ef61fe5_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2424	2284	169b05317940f90150c968949ef61fe5_JaffaCakes118.exe	30
PID 2284 wrote to memory of 2424	2284	169b05317940f90150c968949ef61fe5_JaffaCakes118.exe	30
PID 2284 wrote to memory of 2424	2284	169b05317940f90150c968949ef61fe5_JaffaCakes118.exe	30
PID 2284 wrote to memory of 2424	2284	169b05317940f90150c968949ef61fe5_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\169b05317940f90150c968949ef61fe5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\169b05317940f90150c968949ef61fe5_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\169b05317940f90150c968949ef61fe5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\169b05317940f90150c968949ef61fe5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\169b05317940f90150c968949ef61fe5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\169b05317940f90150c968949ef61fe5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4F1D.06D

Filesize
1KB

MD5
212750b16b59bc95e3de5c220c402f33

SHA1
00ac09917a5397f5c952251e84597a2d8aab6c30

SHA256
1a32f8052ef77f590dfa41b9503ea07efb7c506e8319f351e3a8f0e97f384b60

SHA512
a25448a7b861287103b2c1a5b715ec828bff3b09124ad0748d17d6474bf10bc90a2be9da81f347efa0700b1fff7d114415eefcaeb669061824054aba723faf9f

Download Submit
C:\Users\Admin\AppData\Roaming\4F1D.06D

Filesize
600B

MD5
ff03245c08e50c0c62cd0bc5e46e2c05

SHA1
0464c9be4c4a45c6b9b596de2febbb6659121b92

SHA256
ba706921e75d089f18c3559cda1dd3eea15db182a529fa90a7ea50bef3fcc68a

SHA512
a94fb7381a5c92aaaf30d4634e75c225cae3bc76197f5c9682933969752db5caed14c135cd00a71d2890b0ef71e9e3364a12ff41f1a31590874acf6dd6cbd3d2

Download Submit
C:\Users\Admin\AppData\Roaming\4F1D.06D

Filesize
996B

MD5
83a3ddd4af4e114cac2bbfde7ec38187

SHA1
18c7f8b4a9f074c153768ffd4f971515a527a925

SHA256
3dc3bc1e576c89227b9b6a20d92ca448622973401662222576bdb0588e3ac76e

SHA512
6bafcd739a8ece6e0b4e9a9d69f422878954febb11983827f9b8e46e5b008e37584771d330c5e300cdf94f20413fd25ff230f54a9bb5a0a9707d657c1d598b5b

Download Submit
memory/2284-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2284-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2284-67-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2284-149-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2424-76-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2424-78-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2760-7-0x00000000005F4000-0x0000000000611000-memory.dmp

Filesize
116KB

Download
memory/2760-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download