8582e24797d8aff6cd5252ed3c7d4c1ad5966ea5db5e3652ae9c2f2e1c125fd4

General

Target

29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe
Size

181KB
MD5

29972effa5e965cb998b87a809c76ee8
SHA1

1dd76db0bddcfeb293d6cdf763fc164ba508bd59
SHA256

8582e24797d8aff6cd5252ed3c7d4c1ad5966ea5db5e3652ae9c2f2e1c125fd4
SHA512

7c32736ef3cf04fc03579c9905a778be862489abc0b7efc582d51f2b5f9679f1a8c66dd5b003d94e6007d63b1575c8cb31011d8c9eb710ec83e0cef20ef2457f
SSDEEP

3072:lEiKXnSkAbb6A1shJWBLefw9Ie2X19tL3Jx2AHVgdN2IfVL8+cR0PqnYdsXaxyhu:lEiKXzAbuA2caeG1/P2AHKaMVL8tF2SY

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1192-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1192-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4804-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4804-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4804-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1192-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/5092-115-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1192-232-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1192-279-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 4804	1192	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	92
PID 1192 wrote to memory of 4804	1192	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	92
PID 1192 wrote to memory of 4804	1192	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	92
PID 1192 wrote to memory of 5092	1192	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	94
PID 1192 wrote to memory of 5092	1192	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	94
PID 1192 wrote to memory of 5092	1192	29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe startC:\Program Files (x86)\LP\3A52\3E8.exe%C:\Program Files (x86)\LP\3A52
  2⤵
  PID:4804
- C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\29972effa5e965cb998b87a809c76ee8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\27539\1353A.exe%C:\Users\Admin\AppData\Roaming\27539
  2⤵
  PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1044,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=3944 /prefetch:8
1⤵
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\27539\9CFB.753

Filesize
996B

MD5
c957dd1a9d01126855953e2fac572d21

SHA1
d680a7164ed62e24ff5ba93d73d84f8e11e94564

SHA256
392fc6f2d95a23c51bed948f8aea3535cd7ccde57f3e92fa032b0713380efbbb

SHA512
aba29a7f74c6257b3cba715ae8cd3ea0e1964662bbd28482288f2bfbd1b4972217184c78a90d3374ffe6b039099c4c3a48e931554c43c66a56efb9631e65de29

Download Submit
C:\Users\Admin\AppData\Roaming\27539\9CFB.753

Filesize
600B

MD5
4773263a3d8012359e199ab60daf305d

SHA1
de64fc9f002fa1f1ffdc6283e27413146cadc21b

SHA256
8d6546a6267b2ea1c138e416d67d8002ac7f64c5a4ccd83f53fac25d3271bc04

SHA512
09dc44795d62e4d0a4c28bd148d3a1d054f53bbe5d0daea5b95b3a91c8ff02e919bc0006695c94993616214090ecfb19bc2be53f79cecea1fff591f30dd7eb7d

Download Submit
C:\Users\Admin\AppData\Roaming\27539\9CFB.753

Filesize
1KB

MD5
5970d2d26ea8ef73034368589d7fef81

SHA1
7c2fd2480b1eeec2b5e6f3758730363fe1521b80

SHA256
e0cd49961531be4f7d05510e6d5bdea0c0ee6f6f3ab6b0f0b6434ffebb06379b

SHA512
a3b3b26470ba18e2ff7d78c9a558d95f0707af52cb1b6ecc2231af8e22466b3a19e07d3fed51ff0974563f9a914381da78d28a797b64536fba9991ed8e71dea0

Download Submit
memory/1192-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1192-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1192-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1192-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1192-232-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1192-279-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4804-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4804-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4804-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5092-115-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing