d7a44b60b9679e435701308183ff6ddd018a807c42ea53c3bec7e8108f0275c2

General

Target

2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe
Size

179KB
MD5

2dd4eee8edbb72597bac799ec9aba9fd
SHA1

bc6f6d5bfea4223bb95743459c8ce697f4a0831c
SHA256

d7a44b60b9679e435701308183ff6ddd018a807c42ea53c3bec7e8108f0275c2
SHA512

a8e9b126739cde9d8e60a48a6aca7f8962074e78aac94c46d30b91039429d0ed291dc819dc243c70705f31be3984bdbbc2e740a4c0a3e15442cc9eb634551e7d
SSDEEP

3072:FeokrC6FtnsdFS63Lqi993+PzNeW9X8Ye0V6DvZhOKxT8louriesMs9YQdEHVte:6Wi9sLSsuPzgW9X8IIzZ4Kx8cesMIkVt

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2396-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1984-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1984-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2396-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1504-126-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1504-127-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2396-244-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2396-307-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1984	2396	2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe	31
PID 2396 wrote to memory of 1984	2396	2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe	31
PID 2396 wrote to memory of 1984	2396	2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe	31
PID 2396 wrote to memory of 1984	2396	2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe	31
PID 2396 wrote to memory of 1504	2396	2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe	33
PID 2396 wrote to memory of 1504	2396	2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe	33
PID 2396 wrote to memory of 1504	2396	2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe	33
PID 2396 wrote to memory of 1504	2396	2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe startC:\Program Files (x86)\LP\107F\017.exe%C:\Program Files (x86)\LP\107F
  2⤵
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2dd4eee8edbb72597bac799ec9aba9fd_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\F0E83\30810.exe%C:\Users\Admin\AppData\Roaming\F0E83
  2⤵
  PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F0E83\334C.0E8

Filesize
996B

MD5
7e05a0ef84835b91b215e122f12a38a0

SHA1
71b1a3cdafda0bf6b9bf9f142eabe214d93c5522

SHA256
e5e2c7b0b7bdd9c3097812c158d48f8a37e3c7a600cb32a327fa5a41dcb0b901

SHA512
563b74c13f2f098bac87913d1b545ef14a8f969995983921293af20469115b51ac6b6f1e7c700215dcfe815ca15cf90d360604e06246a1f38d7fe84b79920fb0

Download Submit
C:\Users\Admin\AppData\Roaming\F0E83\334C.0E8

Filesize
600B

MD5
1c1aefabaa9267f8ce3ed4154040307f

SHA1
2f1da21d8971fabf74afa0d70a22de35de39ec5d

SHA256
f325684b8497bb344fffdc011818b796ed20d226ff930c5e8c6d351821aa470b

SHA512
d86fbe2c20a0987c38b4aa908ad258ec25acf7223cc345a49415525d4746bd1ed78252061c382ec2c71dfb84e29116308ed97851358400334485e3efe9c7c176

Download Submit
C:\Users\Admin\AppData\Roaming\F0E83\334C.0E8

Filesize
1KB

MD5
f770acd7e765890001bad75714a376fb

SHA1
6aace6133460cf1189275a7d361b3951002d97e0

SHA256
160cba70f9e70cf8f1e540dc9b187b236dde1ef33c29c130847ea44050d210a3

SHA512
2e71450fbdb2358d6923bd60efcef9b32306871a1319cc8c3cf817e9bb02f865875bf5a60f86147f962a9a3828a9a0da6caed60e8db190f9fc1a82deeb99ecda

Download Submit
memory/1504-126-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1504-127-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1984-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1984-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2396-244-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2396-307-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing