84b1532207c2c125388f8f576708b96bacc3dd31de9c41f64edf0a083cf9f1a3

General

Target

22616cd11e8369815965211071778a31_JaffaCakes118.exe
Size

186KB
MD5

22616cd11e8369815965211071778a31
SHA1

dcd4aa5174031c97ad5a16aea0f3ca201412d295
SHA256

84b1532207c2c125388f8f576708b96bacc3dd31de9c41f64edf0a083cf9f1a3
SHA512

f10832b8701e2ee5355a5b641f5a0cc96b2d9dd7986c4082f9008df32631084c82acca2bf46af02b3b6505ce41948e02dea1d8024ab06a0800f07cf53d1924f4
SSDEEP

3072:6IJ08+joCgu6ODtWgpwX11JXKHgGNfhKeG/4IlEVDnx7M9FPaQS8UpyZPS3ekq24:6IS8wR6rJpKAGNfMRCLmnaV8Iyp63q2

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-2-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/3004-12-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2420-77-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2392-80-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2392-78-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2420-186-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3004	2420	22616cd11e8369815965211071778a31_JaffaCakes118.exe	28
PID 2420 wrote to memory of 3004	2420	22616cd11e8369815965211071778a31_JaffaCakes118.exe	28
PID 2420 wrote to memory of 3004	2420	22616cd11e8369815965211071778a31_JaffaCakes118.exe	28
PID 2420 wrote to memory of 3004	2420	22616cd11e8369815965211071778a31_JaffaCakes118.exe	28
PID 2420 wrote to memory of 2392	2420	22616cd11e8369815965211071778a31_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2392	2420	22616cd11e8369815965211071778a31_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2392	2420	22616cd11e8369815965211071778a31_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2392	2420	22616cd11e8369815965211071778a31_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F182.7C2

Filesize
1KB

MD5
11d07518e583c2fa518274ef8b60fb89

SHA1
dca6014d7c9e642e1292a3ac0a0d88f55baf8817

SHA256
5c6cf43907cbdc3dae4b371efcdf6137bf6fd8a61b658e1681f137cc085f6a8d

SHA512
0030252633cd77569495bc1c8557dd828394266685b5ce01e212481a6abb3b35fd13585b015d4e1febeda8c3ba9e8521c486445dfd929d8b4a3888175b771141

Download Submit
C:\Users\Admin\AppData\Roaming\F182.7C2

Filesize
1KB

MD5
c897810c2541fd256d82ec08e98acd7a

SHA1
36aaeb557bd4c7125224567d9ef9fe93307edb91

SHA256
289d5d8b45edd87a03682f9c7ea7441ae715b7ce812b1a7d1d014d94dc5162d7

SHA512
c77bea83e5d2c55aa918725197b6d2f3ebd4b9f9afaf4fe96f72c913c6fd531683d0c7290f174c92e4f8d6977d649e3928212ade037278fd300c9641b2827d76

Download Submit
C:\Users\Admin\AppData\Roaming\F182.7C2

Filesize
600B

MD5
46429c3544d2a7fa7bba0c0226792091

SHA1
942e1c1f7541f507a8019155576bd1d7497eb7ac

SHA256
2410316c6ca016901cbcd7ac57b44b7da3f10300dc603621e1986fa7e3c589fe

SHA512
7b1696b03cb1907ae12ae5f0220419a5eb551a52faef2f55c06a828d37da713fdc0e686868d4873782aeeabb0721abbc50afb7f21ea5811afb030673b2e79319

Download Submit
C:\Users\Admin\AppData\Roaming\F182.7C2

Filesize
996B

MD5
6f83d25dcdc148efb2ba9fc09f501140

SHA1
e175950dfd0905022d1655d174821974ce94c564

SHA256
2c61e12ab1501c3e2b7818eb29bf50bf727c715e61a69b791adf91d0b5c59fa4

SHA512
7af097325d694db00c8909c2ef597fcb2a928f2511d4c3b8bcc1dd2cbc70046f975c35ca2f978131d64f9b2bc7930ab5461e594fda3c662b1549089fb668ec52

Download Submit
memory/2392-80-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2392-79-0x00000000005A7000-0x00000000005C5000-memory.dmp

Filesize
120KB

Download
memory/2392-78-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2420-77-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2420-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2420-2-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2420-186-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3004-13-0x0000000000657000-0x0000000000675000-memory.dmp

Filesize
120KB

Download
memory/3004-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing