5ab01293961700e753355119f634d8114fa5f47cdc664477c37f01bafdbb5c84

General

Target

3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe
Size

180KB
MD5

3382fb07bb0b36a68ce935c7d0fbba34
SHA1

a8a9807635a8aa032b1eef0d34d656f7e5b57588
SHA256

5ab01293961700e753355119f634d8114fa5f47cdc664477c37f01bafdbb5c84
SHA512

b6e53064964e17f9ec33333e058e8ddf4e2499f6f0696d45660f6699caaaac514379a2a7997130da6c0d432d9f9b314e09cd9a0b82fed6f0a00b5ad90463277c
SSDEEP

3072:9cbzZoL9bDUkKOYHVrH4zrgq0CuJGYNnga8iANzbiQRMLaMUCSgGuJJfE/NE:WXAPUt18rtKNd8VzbiQRML1TkuJBQa

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1040-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1040-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/844-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/844-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1040-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2252-134-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2252-135-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1040-248-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1040-307-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 844	1040	3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe	28
PID 1040 wrote to memory of 844	1040	3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe	28
PID 1040 wrote to memory of 844	1040	3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe	28
PID 1040 wrote to memory of 844	1040	3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe	28
PID 1040 wrote to memory of 2252	1040	3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe	30
PID 1040 wrote to memory of 2252	1040	3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe	30
PID 1040 wrote to memory of 2252	1040	3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe	30
PID 1040 wrote to memory of 2252	1040	3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe startC:\Program Files (x86)\LP\D5B1\825.exe%C:\Program Files (x86)\LP\D5B1
  2⤵
  PID:844
- C:\Users\Admin\AppData\Local\Temp\3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3382fb07bb0b36a68ce935c7d0fbba34_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\19BB6\B5BD5.exe%C:\Users\Admin\AppData\Roaming\19BB6
  2⤵
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\19BB6\6475.9BB

Filesize
996B

MD5
ecba9f4a9acbabc116f1d927eab84823

SHA1
c20606fc57f4590367f41dd94c4bb2ad3f778ffe

SHA256
c2e0d687d72006b1e43a9783f29b482b76709beed41a88f1e10014ffd0ec38de

SHA512
8d6b54c22313f8a9249f83f1dcd7360b6f4d52ac495710a50b926c82cad6127ba74beb87b9fe245c56e945f25dbca5a68f19ea1172305b6c39273a923f4913ef

Download Submit
C:\Users\Admin\AppData\Roaming\19BB6\6475.9BB

Filesize
600B

MD5
8075bf9c54abb3c7d8a831de3a9f9797

SHA1
19c6afb00d7a98298153a40ead3d3f5d2a95db97

SHA256
a3e3bbfd33d92c1c077b5a7c9231f789504b52d4c921feea08644c47d2d62e64

SHA512
08353266f6f09ae72170c5dacaac4f361a4f6cff7329fd6e0148986680038be2d4072eb98502c42d0719d0daeb7ff213083be3c5b82300fd9f43a07b7c10f2e7

Download Submit
C:\Users\Admin\AppData\Roaming\19BB6\6475.9BB

Filesize
1KB

MD5
942a801e84a19e2cefeff4df22c35643

SHA1
6a8bfe2557db6e17371628240355a854670b1be3

SHA256
631d40dbed8494d78c8b7e7aab1fb5436c19a11d3088c98c0452e298bc8a27e9

SHA512
7830a908b1d0be8e14c3f4ffb3b8620a60e0bea84024a7cb44f2e050211b80999c07a66d437fc263425d003eb522391372e69c5372ed46f37b51671467b78f80

Download Submit
memory/844-15-0x0000000000595000-0x00000000005AD000-memory.dmp

Filesize
96KB

Download
memory/844-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/844-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1040-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1040-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1040-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1040-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1040-248-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1040-307-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2252-134-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2252-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing