108116ebe972df28427cd9b35ae2e797a07a236f3044ffc14906d784f1c3e853

General

Target

3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe
Size

185KB
MD5

3a56cc58e009d3e94094ede97b7a76b6
SHA1

38f1c63b3f4d2728d8dd3e5edba29a69a65e7e21
SHA256

108116ebe972df28427cd9b35ae2e797a07a236f3044ffc14906d784f1c3e853
SHA512

8d1b1454c860e4dd737e8fac05faee9d86f022f7e45f588a370bc9da5925a994694b18e5947dd0e04af0cb59f383f2620f9948ac5794673e0efe6e7cb86ceabd
SSDEEP

3072:fq8T/rfl5rhrnhjMcmxW0DuWyAm0irgWT4yt1yG+VCrAcKwwNntXAd/glLtvdET1:C87rl5rhrnOvhy3Tx1yDCrawyntXAZgI

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2456-1-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2456-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1640-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2456-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1604-81-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1604-82-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2456-83-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2456-179-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1640	2456	3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe	31
PID 2456 wrote to memory of 1640	2456	3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe	31
PID 2456 wrote to memory of 1640	2456	3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe	31
PID 2456 wrote to memory of 1640	2456	3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe	31
PID 2456 wrote to memory of 1604	2456	3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe	33
PID 2456 wrote to memory of 1604	2456	3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe	33
PID 2456 wrote to memory of 1604	2456	3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe	33
PID 2456 wrote to memory of 1604	2456	3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe startC:\Program Files (x86)\LP\EE47\7FF.exe%C:\Program Files (x86)\LP\EE47
  2⤵
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3a56cc58e009d3e94094ede97b7a76b6_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\720FF\076EE.exe%C:\Users\Admin\AppData\Roaming\720FF
  2⤵
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\720FF\F527.20F

Filesize
1KB

MD5
fb760abd920cda48b0f35ca84676f40f

SHA1
e4178127fe56d6665091a16f00910c3a86c9489e

SHA256
15d2e48ca0e048455b1b64b9bd916343112f78efa115ae66f4495cbb004a139f

SHA512
131f40425c6ef0e1a8a429a9fe16ff903494b5ff185b9bbfd28e41a9d8cb4174bdbb4ecbfc959eef87745a4646699ea4af6ecad07a4b28eb99404a7423a81e6b

Download Submit
C:\Users\Admin\AppData\Roaming\720FF\F527.20F

Filesize
600B

MD5
ced241d465759cceff4cc7ce6bb86e6a

SHA1
3e5f0d51f636f56232f5a6a2f91923e69c5b53c6

SHA256
c5cdadfa8c02fe86492697df74e93cdbd5f15067f80bc7844715ba44ba5e5eee

SHA512
8933fd491dace44b3ca70c21c7997ad053ad7fe9d17d1ff1aa14446bcd79f1d13289ffef3dfbb3ec9f8e0b096081d89c0555fd5d18cbd9b5489128d4daf28d84

Download Submit
C:\Users\Admin\AppData\Roaming\720FF\F527.20F

Filesize
996B

MD5
3baac26c4a277a9b4b803e6f7b7a3aa7

SHA1
35a0f4e231caf2f37adcce5e7144afe983f7c5da

SHA256
de67f5623de8ac3bf1faecf50df938cbb459dcfe02a023326bd91d000b2f3532

SHA512
c5c7cd5971da408ea67c46452e40d81717a7f124be848131cd3e11ec6331f0535f8f7b7e84da705b43194315c1a832110d246c00104bf480e247e4f3c07dcf54

Download Submit
memory/1604-82-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1604-146-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1604-81-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1640-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1640-144-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2456-83-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2456-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2456-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2456-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2456-179-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing