6754147e3b1468acb1a73c90219871f4b16872a65040b7b8289fd56e59b56bfb

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26a7bac2e69bf601a773e5a80c6ae698_JaffaCakes118.exe
Size

386KB
MD5

26a7bac2e69bf601a773e5a80c6ae698
SHA1

999e29934a55d8fa9f66ebb6f2311d0a4998c062
SHA256

6754147e3b1468acb1a73c90219871f4b16872a65040b7b8289fd56e59b56bfb
SHA512

4cca5c5249a27ee1045390e69fef59a8e52a09d36f3666d283f7e131e9071d13e1368f0af3931bec4bf07ef157c91856c3feab218e80b493ad2fab425923057b
SSDEEP

12288:t9xZ5yN3Cwaw//ikDju436I26h+OoS9Ot4:t9vsky/7NKDm+14

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1812-0-0x0000000000F40000-0x000000000108F000-memory.dmp	upx
behavioral2/memory/1812-1-0x0000000000F40000-0x000000000108F000-memory.dmp	upx
behavioral2/files/0x000b0000000233ff-6.dat	upx
behavioral2/memory/1812-7-0x0000000000F40000-0x000000000108F000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 4308	1812	26a7bac2e69bf601a773e5a80c6ae698_JaffaCakes118.exe	83
PID 1812 wrote to memory of 4308	1812	26a7bac2e69bf601a773e5a80c6ae698_JaffaCakes118.exe	83
PID 1812 wrote to memory of 4308	1812	26a7bac2e69bf601a773e5a80c6ae698_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\26a7bac2e69bf601a773e5a80c6ae698_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26a7bac2e69bf601a773e5a80c6ae698_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\15.bat
  2⤵
  PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15.bat

Filesize
174B

MD5
a684953751974add54d79a9471a8dd6c

SHA1
3fd025c538e1065119fd47ef74d3010c80785499

SHA256
090a66752ce1a766cc08adde98b25a729db52df35fa751b0bc0909502450212e

SHA512
ea27190a82f980051b8eeb64b628bc1ca512e3fc0f69ee366ae784936a9582b43fae607b581000ea20ef65957f1273e1b9b790a1cf59470bdd765199c28d19e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\53484.exe

Filesize
386KB

MD5
26a7bac2e69bf601a773e5a80c6ae698

SHA1
999e29934a55d8fa9f66ebb6f2311d0a4998c062

SHA256
6754147e3b1468acb1a73c90219871f4b16872a65040b7b8289fd56e59b56bfb

SHA512
4cca5c5249a27ee1045390e69fef59a8e52a09d36f3666d283f7e131e9071d13e1368f0af3931bec4bf07ef157c91856c3feab218e80b493ad2fab425923057b

Download Submit
memory/1812-0-0x0000000000F40000-0x000000000108F000-memory.dmp

Filesize
1.3MB

Download
memory/1812-1-0x0000000000F40000-0x000000000108F000-memory.dmp

Filesize
1.3MB

Download
memory/1812-7-0x0000000000F40000-0x000000000108F000-memory.dmp

Filesize
1.3MB

Download