1f5fc3b9e208b760dde1e0927ef9f8e3bcbb50ff43ec12d5718e96aca8d4321c

General

Target

1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe
Size

179KB
MD5

1ab7d3a333759676ff41d063cd42051b
SHA1

614a4a47a07dd4c72f0b38f1e021236cbce6a96e
SHA256

1f5fc3b9e208b760dde1e0927ef9f8e3bcbb50ff43ec12d5718e96aca8d4321c
SHA512

a9d6058457e8c5f2d34b3ca4cc9cdec44efcbf08174074be3d2d2f8d8b5a6a666abb11e6b0a9f352fd1cba013bfc324b865d3125e17fa88a53b3a49766287d5d
SSDEEP

3072:TlNAKPfBJ5EITVe9Yomi0/jsOKG1atpykCy7Kid1ZmMcry/0m4DMWAmqqIZwHY85:xNAKljVe9YxCVeqKyVd1UvTomK+HYYH

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1044-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1044-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1948-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1948-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1044-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1668-130-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1044-251-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1044-298-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1948	1044	1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe	28
PID 1044 wrote to memory of 1948	1044	1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe	28
PID 1044 wrote to memory of 1948	1044	1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe	28
PID 1044 wrote to memory of 1948	1044	1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe	28
PID 1044 wrote to memory of 1668	1044	1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe	30
PID 1044 wrote to memory of 1668	1044	1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe	30
PID 1044 wrote to memory of 1668	1044	1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe	30
PID 1044 wrote to memory of 1668	1044	1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe startC:\Program Files (x86)\LP\A77E\3E1.exe%C:\Program Files (x86)\LP\A77E
  2⤵
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1ab7d3a333759676ff41d063cd42051b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\E8AFB\627A7.exe%C:\Users\Admin\AppData\Roaming\E8AFB
  2⤵
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E8AFB\B9BC.8AF

Filesize
996B

MD5
e2cd91b73e99e3b74f04a4cc5e885dd0

SHA1
d3fbe15793bbfa6f7c23cd5e6f1a0d6af86d21ee

SHA256
27c486c82fe1e5889a1e15658606598fdb2580b3e829b1256780686cf2893dce

SHA512
2df8e6816a10c5aa5e734d3a4638ea620c7ad01d6063dc8d8be384f300542699e766e70482af7c4a60f50cdf3637ff24563f68fb0f02b8335bc8a1a650338be8

Download Submit
C:\Users\Admin\AppData\Roaming\E8AFB\B9BC.8AF

Filesize
600B

MD5
3a0d83b839f1ce27eab5299a4dcef291

SHA1
aa7f151794d41ea7d861aff39fb1ff8219789326

SHA256
4ec94fc41c1ebbe77d7d31e71001d9d0a567842d7c9bbc0e727493076b240455

SHA512
90ee4d9a6b076854bbd401b08fa3156cb65c6f09d1822062037f3ad4f13fcf9a8dd156e0fcdecce470541915ab43b86754d7dd41a81ddc584878341ad11d8c5e

Download Submit
C:\Users\Admin\AppData\Roaming\E8AFB\B9BC.8AF

Filesize
1KB

MD5
568471b203a511b5f9c69cfaaa029484

SHA1
0703cb4444d08f1bacd743a34c32d1e72055c9ec

SHA256
f8a600030cf3283ee7fdadecc071c4d101a8ca5a29a14491d78ab48612a87de6

SHA512
58634d0ac16618e58f0ba47fa8335ac56f5276a7b56ea078fef2028452b10a630ccaa1c03dc0796738a2d4af15bb94198fe41ef1cf9afd452e0e0223d5d65b40

Download Submit
memory/1044-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1044-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1044-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1044-251-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1044-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1044-298-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1668-130-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1948-15-0x00000000005B2000-0x00000000005C7000-memory.dmp

Filesize
84KB

Download
memory/1948-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1948-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing