d55461122c95169c132735e2d902a3d2e88821fb78e237e7ded66f08861b08a2

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe
Size

176KB
MD5

2fa083139e2eb381f65ab85e2c7f1265
SHA1

e21520cc1d8602ed275c4b29cd3bddf06aafd514
SHA256

d55461122c95169c132735e2d902a3d2e88821fb78e237e7ded66f08861b08a2
SHA512

640afb1d2fac3039847d655de81fa9f5c97c66c8200ba0b5d8bebb9b7b10b875384786f84e21bc5cba1c340195e3f7e0bc05d454f53c6afac18a7f60b022d01a
SSDEEP

3072:f50Ma99qjFXA7KgKOeWTgkASXZ+vqqkDLLrWBOYqbw1OqVgxKne3FfvXNUa:f23q5aKzkASXZNBHLsxLUEqNK

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2052-4-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1552-74-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2204-76-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2204-179-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2204-184-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2052	2204	2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2052	2204	2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2052	2204	2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2052	2204	2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe	30
PID 2204 wrote to memory of 1552	2204	2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe	33
PID 2204 wrote to memory of 1552	2204	2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe	33
PID 2204 wrote to memory of 1552	2204	2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe	33
PID 2204 wrote to memory of 1552	2204	2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2fa083139e2eb381f65ab85e2c7f1265_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5997.E0E

Filesize
600B

MD5
346c6bde0468b1a11a6c7b5a78e75f19

SHA1
e83694ba5db7158aa725b5ee9b4d130468164068

SHA256
b253874e2d8c6e85fb411c409b4984a62eaa8381acdf2d7dbe10986415a1d49f

SHA512
31425b9e86f84f135c62e951438cb562925126d0073bc4fc2bc14f01a1dca965f7f48c492c7f25ce2ee03383e492fa387e446c4fc729c9d2b7f33303c5ae95a6

Download Submit
C:\Users\Admin\AppData\Roaming\5997.E0E

Filesize
1KB

MD5
72c2feacbf2f14ce0ce4840e51977019

SHA1
af118a7d2ede05576a3d9fe3ce89071476595b69

SHA256
eb7b1fe1f83c4f69fa88317c4bbc2fb67ff89fa5d1de8f2863ee5a81fbe530ae

SHA512
db0638a98637a2ea7630534d11c8ec394e8b0e435c3da5a1c7350e07396b534c8128b1d636012c207bfdad5ce8fffef31b72097279d62ff2f85ed9d63d5acb41

Download Submit
C:\Users\Admin\AppData\Roaming\5997.E0E

Filesize
996B

MD5
0b0c9bef1a97125584dab0f7aad5e7e9

SHA1
13d431e84c5568c342df41afcb9aa672b6a9d7e6

SHA256
f2a70a0c7ff8077d81db92771a7ca814d77d4782794fcdd3200a27c0ac75e6b4

SHA512
e1d28cff2f3489c5e8b86875189fbc222fd3450a0b24867749e80e154eec6dbc72ff6ee259f015d87fed0f509b20a9a82ee584d82e1d6e1d3fa2f32fddf56451

Download Submit
memory/1552-75-0x00000000005D5000-0x00000000005F2000-memory.dmp

Filesize
116KB

Download
memory/1552-74-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2052-4-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2204-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2204-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2204-179-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2204-184-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download