8582e24797d8aff6cd5252ed3c7d4c1ad5966ea5db5e3652ae9c2f2e1c125fd4

General

Target

29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe
Size

181KB
MD5

29972effa5e965cb998b87a809c76ee8
SHA1

1dd76db0bddcfeb293d6cdf763fc164ba508bd59
SHA256

8582e24797d8aff6cd5252ed3c7d4c1ad5966ea5db5e3652ae9c2f2e1c125fd4
SHA512

7c32736ef3cf04fc03579c9905a778be862489abc0b7efc582d51f2b5f9679f1a8c66dd5b003d94e6007d63b1575c8cb31011d8c9eb710ec83e0cef20ef2457f
SSDEEP

3072:lEiKXnSkAbb6A1shJWBLefw9Ie2X19tL3Jx2AHVgdN2IfVL8+cR0PqnYdsXaxyhu:lEiKXzAbuA2caeG1/P2AHKaMVL8tF2SY

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2188-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2080-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2188-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1908-133-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1908-134-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2188-244-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2188-300-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2080	2188	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2080	2188	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2080	2188	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2080	2188	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	30
PID 2188 wrote to memory of 1908	2188	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	32
PID 2188 wrote to memory of 1908	2188	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	32
PID 2188 wrote to memory of 1908	2188	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	32
PID 2188 wrote to memory of 1908	2188	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe startC:\Program Files (x86)\LP\0235\66C.exe%C:\Program Files (x86)\LP\0235
  2⤵
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\5D79E\5B602.exe%C:\Users\Admin\AppData\Roaming\5D79E
  2⤵
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5D79E\E9EE.D79

Filesize
996B

MD5
aa750003a1b179097cc99f2d9121a97a

SHA1
c74c97ad84941e12023c799ba24d09173aa9d6e5

SHA256
1eda7414b04692cea8a6251795bab43717126470fddc8d5e0b857ac6fbb6623f

SHA512
f98bb477ce63938c23a0de6406a5d90ccb5fc63bf081322d3cb387c6b383e2022e4ea6d8d5f1231ce917029c9ae1ce5f21b3c008e6ccaf092a5590aa684e93a8

Download Submit
C:\Users\Admin\AppData\Roaming\5D79E\E9EE.D79

Filesize
600B

MD5
ee4d7cee929b6c077e3391d4f6d55320

SHA1
b995a0da9567bb9a4bdbc848ad564dc76f63bb6a

SHA256
ad0f7dcbb4a6fd5de9a1c5b5808d4b3245941b3022a248f6dadc1259097c6465

SHA512
b10a89765c18d891e5fe12c437ae39c20280644107d6612a4395c31538892a7937372171355e22cc5e12c53fcae881dbec20638e83a1a076036277a82dd89635

Download Submit
C:\Users\Admin\AppData\Roaming\5D79E\E9EE.D79

Filesize
1KB

MD5
1e851c1b97f7b96095bde69bb8664dc0

SHA1
9ba69a7b4fc011449ef72b4afd069ff88a88d56e

SHA256
87caebe0e19ffa8970a67c9366f6d9fe3e1334b504d08c85a4e860d7f901b928

SHA512
5b94e1b24a926aedc4dfaecc834a6313e93240d0f6d4d062ee00d1e7a841ccf5f594aecfbafba25374b254d06b9b250cb321267310a6c1ccdb49ad4632649d5c

Download Submit
memory/1908-133-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1908-135-0x0000000000568000-0x0000000000581000-memory.dmp

Filesize
100KB

Download
memory/1908-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2080-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2080-246-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2188-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2188-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2188-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2188-244-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2188-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2188-300-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing