84b1532207c2c125388f8f576708b96bacc3dd31de9c41f64edf0a083cf9f1a3

Analysis

max time kernel
143s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22616cd11e8369815965211071778a31_JaffaCakes118.exe
Size

186KB
MD5

22616cd11e8369815965211071778a31
SHA1

dcd4aa5174031c97ad5a16aea0f3ca201412d295
SHA256

84b1532207c2c125388f8f576708b96bacc3dd31de9c41f64edf0a083cf9f1a3
SHA512

f10832b8701e2ee5355a5b641f5a0cc96b2d9dd7986c4082f9008df32631084c82acca2bf46af02b3b6505ce41948e02dea1d8024ab06a0800f07cf53d1924f4
SSDEEP

3072:6IJ08+joCgu6ODtWgpwX11JXKHgGNfhKeG/4IlEVDnx7M9FPaQS8UpyZPS3ekq24:6IS8wR6rJpKAGNfMRCLmnaV8Iyp63q2

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/740-1-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/5012-12-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/1676-116-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/740-114-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/740-195-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 5012	740	22616cd11e8369815965211071778a31_JaffaCakes118.exe	90
PID 740 wrote to memory of 5012	740	22616cd11e8369815965211071778a31_JaffaCakes118.exe	90
PID 740 wrote to memory of 5012	740	22616cd11e8369815965211071778a31_JaffaCakes118.exe	90
PID 740 wrote to memory of 1676	740	22616cd11e8369815965211071778a31_JaffaCakes118.exe	103
PID 740 wrote to memory of 1676	740	22616cd11e8369815965211071778a31_JaffaCakes118.exe	103
PID 740 wrote to memory of 1676	740	22616cd11e8369815965211071778a31_JaffaCakes118.exe	103

C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:5012
- C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0649.654

Filesize
996B

MD5
74aa342edfc755075a45cae55d0f3192

SHA1
cfe94986ec04023249a1e0ed4349cd9ea661dd8b

SHA256
988784882e4e6c7ace9388bf69a797968ca643618170be0da0e3d140282556f4

SHA512
3aa42bbd982f5e5a9006023db8ecab773948df417b39558bc5b49d19bdffdf2283e2abff99e49585c6f62dc3d902b6280a4c29271e265c99704054656739d730

Download Submit
C:\Users\Admin\AppData\Roaming\0649.654

Filesize
600B

MD5
dbcfedf9eb9c24da71fdef57e1e9225d

SHA1
8acc23a169fec3c85d6949eff5d866f9ef7278df

SHA256
ac3625bc0c4d54f9bcc1ac322955d12f333eb8057d4adb5d80133e29b2c459fc

SHA512
cd5f957650b29976cb1cf5bf73a60caab3aeff3df47e95800ffe1ffc4e07236062c74bcbc4936de0d0ba0e32bc6b6e7e638678a6d3090953740c024346bac0e4

Download Submit
memory/740-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/740-114-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/740-195-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1676-116-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5012-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download