631438f38435e83205dea77ed480a1f6938a31c4678a2c798ccea47bf13d36e5

General

Target

2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe
Size

185KB
MD5

2b90765e0f0627fc57b3c043cfdf614f
SHA1

9ee62a12cb695897619eb12c62784ba12bd441f5
SHA256

631438f38435e83205dea77ed480a1f6938a31c4678a2c798ccea47bf13d36e5
SHA512

ce10557be0bbaa998c04618bc5027ccd05a096d96a18fdbb91d300f12c12edf8b8f5f2ab77ab2e60716272946216e1f6bdea91b7ff54da3dd1d9a231020c423a
SSDEEP

3072:LWMaXtJDgkKuHfpefTuR+zmRpAqa3DoiWzqQZO2pJEOeleBMUIIT:LWM+lgk/BefU+zmsqazSfRvele4U

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4760-1-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4760-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3676-11-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4760-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1652-83-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4760-144-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4760-173-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3676	4760	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	93
PID 4760 wrote to memory of 3676	4760	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	93
PID 4760 wrote to memory of 3676	4760	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	93
PID 4760 wrote to memory of 1652	4760	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	94
PID 4760 wrote to memory of 1652	4760	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	94
PID 4760 wrote to memory of 1652	4760	2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe startC:\Program Files (x86)\LP\0135\2BE.exe%C:\Program Files (x86)\LP\0135
  2⤵
  PID:3676
- C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2b90765e0f0627fc57b3c043cfdf614f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\5A966\54001.exe%C:\Users\Admin\AppData\Roaming\5A966
  2⤵
  PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4488,i,12101950716832706950,8384629015980369538,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5A966\6198.A96

Filesize
1KB

MD5
fae4af61822c5c391d40c141e8c13e91

SHA1
74c55b83cc1abae15955ed5bb9493af6f1fd0e98

SHA256
3fd5979154149645531d2bf6617c48cbc7b29144398035b7043b5ac85b952f42

SHA512
0d781dac46314545ffbbee3ca822434bc1c8678d821c07b19ca1db5c01696cda9da46b9ab88849d930b6f6b52f0af5e8b6e96e5e958d0218a1114ce81325c7a4

Download Submit
C:\Users\Admin\AppData\Roaming\5A966\6198.A96

Filesize
600B

MD5
6838bfff600bf21228fc1895395bd5f3

SHA1
8978d1ed4926e7a665b6355cfa4518bba4095f73

SHA256
b3738685773d075cdbcc9f293457497f82463b9e43f32666ac3a39b6bba7deb3

SHA512
996f73859a32a6129abbbb0508504e6189beeb8c54abc651016f8307695ce39656212c20ad2ff3f0645d34b1ba153417ef0f532dbe70edc6714638d48b647830

Download Submit
C:\Users\Admin\AppData\Roaming\5A966\6198.A96

Filesize
300B

MD5
ae5dd81b4776a1df6fc5fa20e72e6b62

SHA1
8c727410ec5399424aaf13439443108fd81ee924

SHA256
d024cac1df4783d7bc3b35cbed1140ac8730cb7b4c9e98fca699ebb6facf55a0

SHA512
3c3b61a8b481bb4286a1773cd345a08ea65c3fec2474394ae62d840504fba28941641aa909120781dd2797dbdf1c3b7df428e8c1a0abedfb2008f41d285e4f14

Download Submit
C:\Users\Admin\AppData\Roaming\5A966\6198.A96

Filesize
996B

MD5
a201ab4d2c24dd5cd918720028d8648f

SHA1
d55986dbdc81c21ea02adffb996075bdcd10154a

SHA256
01823daa718805aebe3aa18ce49b1993f3a05b080fb730b87e3e108e89b2cc51

SHA512
434d49ab5b79e5c19123da0201d1277512346cad7346401b830110ed1f31cb144ff2766e2b465fb5995c3cebb037b9a2e96dfb9e8d4978db618c1790e3e02871

Download Submit
memory/1652-83-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3676-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4760-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4760-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4760-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4760-144-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4760-173-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing