b877a3697e6559fa0e317a6480dbdd73d955c42f5f80eda1aafa159ccf030c0b

General

Target

37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe
Size

187KB
MD5

37ccfdbebe357171e6a4be7e7760590f
SHA1

00f44376824fe298c6b3fcc06b46f6dec3898836
SHA256

b877a3697e6559fa0e317a6480dbdd73d955c42f5f80eda1aafa159ccf030c0b
SHA512

e4edbade58d0cf44347238f3daf1512f1fd27c554f3808da4f15b07e3cb7532b2e0bd34c787d251176dd32c9408a75632d37e5aadd957ab4b1b456cc0a94870f
SSDEEP

3072:6Fh4IoSEIj1EGWE6GU9N46AQIKFoRnxLeFZoXNhnUau4R6BCPVybQqx6PCLLMxm:6F6IX1EGphwtWuiLnUauHoNSNLLMxm

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2552-1-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2552-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/484-11-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/484-12-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2552-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1740-127-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1740-126-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2552-240-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2552-283-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 484	2552	37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe	31
PID 2552 wrote to memory of 484	2552	37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe	31
PID 2552 wrote to memory of 484	2552	37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe	31
PID 2552 wrote to memory of 484	2552	37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe	31
PID 2552 wrote to memory of 1740	2552	37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe	33
PID 2552 wrote to memory of 1740	2552	37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe	33
PID 2552 wrote to memory of 1740	2552	37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe	33
PID 2552 wrote to memory of 1740	2552	37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe startC:\Program Files (x86)\LP\D539\6DB.exe%C:\Program Files (x86)\LP\D539
  2⤵
  PID:484
- C:\Users\Admin\AppData\Local\Temp\37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\37ccfdbebe357171e6a4be7e7760590f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\97E46\73ED5.exe%C:\Users\Admin\AppData\Roaming\97E46
  2⤵
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\97E46\6B7F.7E4

Filesize
996B

MD5
601fda82206ef7ec56f3db3506aec222

SHA1
2cce9b3c6ec7ddd4653cc5ba61aa683150407516

SHA256
387add7ed21e05e17665d552a504f2dd7c493aef515c7c49de0184013b4d5855

SHA512
07713f0de19305178bfd10574865b2a353c3d4975b21996487f59882fc29f4b4e279525319a387d842bf464ea5c60de3834884e7523e758c499e3429bf957d9a

Download Submit
C:\Users\Admin\AppData\Roaming\97E46\6B7F.7E4

Filesize
600B

MD5
19b15385e9bd439672ded34899c49f9f

SHA1
faedeb30baf1e85402bcf49cf6d55bc706e30d7c

SHA256
3eaba253a1b358a2024e8d0b152066dd2b3d234418b5de976c455b3f4a402eaf

SHA512
12f6ec210e61f7d6ada9ed798a4a60480a2565f73d7506ae7229f68f3422b1bb913fa1849d0a987a25fd3e410f6cd41de19f2adefd87482a5887ce07d3dc8646

Download Submit
C:\Users\Admin\AppData\Roaming\97E46\6B7F.7E4

Filesize
1KB

MD5
b0c08bd87e3ca0b6573ac57fbd811f37

SHA1
44448286e22638c285bc0ec306960ddfe0e2e766

SHA256
a81e9c0d1acc5ae33d59fb0b2d45b84e451ee12aa9a92ec241f1cd308b85933b

SHA512
f491eaaecb9352738658ae9e88ead320508316982a54542e6d5a0e5b19656b361f069ae775d8abe6ecfcab20bdce4a4356d891182835d0f46c953c40fc47c97f

Download Submit
memory/484-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/484-12-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1740-127-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1740-126-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2552-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2552-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2552-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2552-240-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2552-283-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing