149579124203441eb8e964bac86720510e963b3265afbf38be9d23f4b3df7b52

General

Target

34c9f867150cb397cab6135547b84422_JaffaCakes118.exe
Size

176KB
MD5

34c9f867150cb397cab6135547b84422
SHA1

91c699052c2875a0a311c39fdfeeb85a4fd6f316
SHA256

149579124203441eb8e964bac86720510e963b3265afbf38be9d23f4b3df7b52
SHA512

9687c6488c04afcf8b4f58bef7fa9cac8265b1ad7b911877e966ef2ba665ca29491b3efc75170cb3116aa66f7e64e84e69f7c5854d7fe76c341c5022b944eefb
SSDEEP

3072:pnlzI9IYri2ZKQrUSB6ER5RSaishziP55agPm9VPwZyAwpBo8j:p9I9IY+2Z4SBiaiskaBbwMF48

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2712-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2712-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2760-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2760-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2712-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1412-115-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1412-113-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2712-224-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1412-228-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2712-273-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2760	2712	34c9f867150cb397cab6135547b84422_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2760	2712	34c9f867150cb397cab6135547b84422_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2760	2712	34c9f867150cb397cab6135547b84422_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2760	2712	34c9f867150cb397cab6135547b84422_JaffaCakes118.exe	31
PID 2712 wrote to memory of 1412	2712	34c9f867150cb397cab6135547b84422_JaffaCakes118.exe	33
PID 2712 wrote to memory of 1412	2712	34c9f867150cb397cab6135547b84422_JaffaCakes118.exe	33
PID 2712 wrote to memory of 1412	2712	34c9f867150cb397cab6135547b84422_JaffaCakes118.exe	33
PID 2712 wrote to memory of 1412	2712	34c9f867150cb397cab6135547b84422_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\34c9f867150cb397cab6135547b84422_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34c9f867150cb397cab6135547b84422_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\34c9f867150cb397cab6135547b84422_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\34c9f867150cb397cab6135547b84422_JaffaCakes118.exe startC:\Program Files (x86)\LP\EEBF\FF0.exe%C:\Program Files (x86)\LP\EEBF
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\34c9f867150cb397cab6135547b84422_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\34c9f867150cb397cab6135547b84422_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\F15F9\DF1EE.exe%C:\Users\Admin\AppData\Roaming\F15F9
  2⤵
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F15F9\967A.15F

Filesize
996B

MD5
7428ebfe778abae342c47e10792d39b4

SHA1
a46f52f8b34bbbd44e5fd8c12dd13a05e1765d7e

SHA256
df87fdb06f58744953a68e762cbfaafdcc8e7a1c9aa25b35933f6c35f7cf9dfa

SHA512
55d4850cda6d6c0c78d2bdecd71096a8d24fba24d6b2407ad79328565d71f50acea60560ddfe8afa14c2b923132716b6a9febe5bafb553e875faee2c45563277

Download Submit
C:\Users\Admin\AppData\Roaming\F15F9\967A.15F

Filesize
600B

MD5
ab542a91c7827706d81d8e89f8a3417c

SHA1
f074d3e791382a9f8651c66bdd9a49c2785b94b5

SHA256
e1a61a9df6a8404703a45f8e68bf69e954fa61c5eaa4bb55a763791c8f35eeba

SHA512
d1c8dd3f79b7d5ca9dc42ab0d04aac3ff5450cecaef219993bf8c571ea94ff3382f4eaa60866b93b5a112844d9740424688071f77d892d3bed541663191faba2

Download Submit
C:\Users\Admin\AppData\Roaming\F15F9\967A.15F

Filesize
1KB

MD5
6ca51387bd32b8f00525e03a10ef1638

SHA1
b56e26efb2b22316705a1b003e380b558eb4c227

SHA256
70b64bd41389b5d17f017cf9b4fd1b4ad276f2c4182fc5fd222c77ad95937df5

SHA512
9d89503a76cfd722bd7bb0be65763bcad56819f769fd13d336474118c740647c95ddc72bab489c172b90c9391cd6eaa3111c7f5be48abe17ed7b7c85ffbb7754

Download Submit
memory/1412-115-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1412-228-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1412-113-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2712-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2712-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2712-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2712-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2712-224-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2712-273-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2760-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2760-226-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2760-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing