65d998ea6abb9df03fed6dda24e34e6e0ff4e545fc22b527aae0b740f089c5ff

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a766f865831cf40a59476292058f946_JaffaCakes118.exe
Size

174KB
MD5

2a766f865831cf40a59476292058f946
SHA1

29c7d59fa1d784b4b8a1088d0779dde6c4bfbd59
SHA256

65d998ea6abb9df03fed6dda24e34e6e0ff4e545fc22b527aae0b740f089c5ff
SHA512

06533a19beba93efd2d23ee8210660b147da39ba3d2557596060b3a0b4a2e4b420352f28b36628ce2d47cf393c304f51eaa67989dd9b544daa165b0f3eaf0f64
SSDEEP

3072:UhyXvXJfVWHkfdrrWWZlndI2JJmobYKd2vWAykvLXsLyP83thau4tfaYdV:U8vXnfdfvBrdb5Es+83L3a

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2404-1-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2404-3-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2532-5-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2532-6-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2324-75-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2404-74-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2404-170-0x0000000000400000-0x0000000000461000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2532	2404	2a766f865831cf40a59476292058f946_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2532	2404	2a766f865831cf40a59476292058f946_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2532	2404	2a766f865831cf40a59476292058f946_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2532	2404	2a766f865831cf40a59476292058f946_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2324	2404	2a766f865831cf40a59476292058f946_JaffaCakes118.exe	33
PID 2404 wrote to memory of 2324	2404	2a766f865831cf40a59476292058f946_JaffaCakes118.exe	33
PID 2404 wrote to memory of 2324	2404	2a766f865831cf40a59476292058f946_JaffaCakes118.exe	33
PID 2404 wrote to memory of 2324	2404	2a766f865831cf40a59476292058f946_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\2a766f865831cf40a59476292058f946_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a766f865831cf40a59476292058f946_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\2a766f865831cf40a59476292058f946_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2a766f865831cf40a59476292058f946_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\2a766f865831cf40a59476292058f946_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2a766f865831cf40a59476292058f946_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EBAA.356

Filesize
300B

MD5
cb77216a63fb50eb16a66885651b6ac5

SHA1
11bc1a687ba20a333ea2ff564b393cf378a5faa0

SHA256
55213d322a0b3e50f1a83a24f963c72e4aa3c31ef108c472752296a7a3b25070

SHA512
b8f75755cb8c7df4702a7aff02381573172ab493d8bcee7cdd3b8b314eb2c8895928c586fdbeabe41e348be5363f07fcbd7e32407b61f01cf6773275e54cbabb

Download Submit
C:\Users\Admin\AppData\Roaming\EBAA.356

Filesize
1KB

MD5
2b8ae357e70b1f62db26a86fb4accbf1

SHA1
424f2456184dc1c4a5eb895f3b2f6d084e725edc

SHA256
cc2ff520fe90dc2f8fa48bd349092a8cabf181b80aaa0dec2ed3bcf8c30433c6

SHA512
c2e064abafdeafa1894d7f0f53ccb5c7ee3a13174aa4e0b361ff058ee63b9a772c6d28c812931d61fbaaf975d7394769db566bee2779527d0f0f7e820fe8b1f3

Download Submit
C:\Users\Admin\AppData\Roaming\EBAA.356

Filesize
696B

MD5
b6dff1c85302fded8b1ad9525ea9b37f

SHA1
a27570493fe8f3eeff485c9e535715c016bde2cd

SHA256
8d2ad7fab35f560831643e52c209b0dde09ae7c93915811533c808f3050b2dbe

SHA512
7664d5b272c7c640b4cdcd9e5ed16fc69bf4b9003e8f80e38e684a4822c282ae27b4af0059270a1865ebd9578ee732ad1208e175b90dd9c8de858e43ebfd22d9

Download Submit
memory/2324-75-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2324-76-0x0000000000915000-0x0000000000938000-memory.dmp

Filesize
140KB

Download
memory/2404-1-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2404-3-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2404-74-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2404-170-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2532-5-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2532-6-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download