631438f38435e83205dea77ed480a1f6938a31c4678a2c798ccea47bf13d36e5

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe
Size

185KB
MD5

2b90765e0f0627fc57b3c043cfdf614f
SHA1

9ee62a12cb695897619eb12c62784ba12bd441f5
SHA256

631438f38435e83205dea77ed480a1f6938a31c4678a2c798ccea47bf13d36e5
SHA512

ce10557be0bbaa998c04618bc5027ccd05a096d96a18fdbb91d300f12c12edf8b8f5f2ab77ab2e60716272946216e1f6bdea91b7ff54da3dd1d9a231020c423a
SSDEEP

3072:LWMaXtJDgkKuHfpefTuR+zmRpAqa3DoiWzqQZO2pJEOeleBMUIIT:LWM+lgk/BefU+zmsqazSfRvele4U

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1640-1-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1640-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2888-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1640-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2600-82-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1640-147-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1640-182-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2888	1640	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	28
PID 1640 wrote to memory of 2888	1640	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	28
PID 1640 wrote to memory of 2888	1640	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	28
PID 1640 wrote to memory of 2888	1640	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	28
PID 1640 wrote to memory of 2600	1640	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	30
PID 1640 wrote to memory of 2600	1640	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	30
PID 1640 wrote to memory of 2600	1640	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	30
PID 1640 wrote to memory of 2600	1640	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe startC:\Program Files (x86)\LP\954B\872.exe%C:\Program Files (x86)\LP\954B
  2⤵
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\B95BA\E9795.exe%C:\Users\Admin\AppData\Roaming\B95BA
  2⤵
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B95BA\A72C.95B

Filesize
1KB

MD5
548f753513ba26192716a204230a6545

SHA1
b63d3fca9984bce0815d1da06ffdb08d99d874c4

SHA256
0f82ca199a2c92b74046689bf1059263912cd866337ed486c99d1e5273e253c2

SHA512
49d63580b559c932da493b64998d51104947855a8ee88018ba6434c9fcb3d6aab4d4e4f14073e4a231a35f78927f77f7bae3468424fbb938dff631dafa6cd6fd

Download Submit
C:\Users\Admin\AppData\Roaming\B95BA\A72C.95B

Filesize
600B

MD5
36a65660e4c5c6f726df0f99d21c8c5b

SHA1
0754027d004500d9f93f0f2d0d395511ece9b278

SHA256
9e9b115e7e23c66bf59d3cc76e284f8b87379b4a33649b15936ffdc01de89192

SHA512
fbe17b997e8a4a2dc221f70c7e8ca0d863dffe71bc7548d50d68e4e3aa766f3a9a6341122581c8037badd0baedd8b45a9b09c70ad7cffe9ea601c19446a3208a

Download Submit
C:\Users\Admin\AppData\Roaming\B95BA\A72C.95B

Filesize
996B

MD5
ef28aff21c2fa9c69eadae7b861a48a1

SHA1
f886ca11861859f0fe48dbe5b93234a1d60c3895

SHA256
fd4d30db67f9d0d010382cd6faf8f02cc10adabc323bf73645757ff80e2502ee

SHA512
986c8a91b8713d89a0b6d655809a173fa4396ae78452206c1198e2abb543d5f0bec97bae7013d4cf3998dc8e414f3916f9926648dddcdd5669fc98bda31d7f0f

Download Submit
memory/1640-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1640-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1640-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1640-147-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1640-182-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2600-82-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2888-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download