ff354699a24b994621357611c0ffa572459581d167b2288061fcbcfbe67c03ed

General

Target

3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe
Size

193KB
MD5

3c00f72d38d1dece37f5604436bc8909
SHA1

e73e9375f6a86c827cf326254a27fc5d8aece3b5
SHA256

ff354699a24b994621357611c0ffa572459581d167b2288061fcbcfbe67c03ed
SHA512

04ca55eae094940c868024db2c73305a06b6c692be7637220f5f2eb39a787239b2f15eaecf99a4cb2273d3b05ae654be7e82c667e84c8bd719de21f739931c97
SSDEEP

6144:Uhqvi1lMcIzdGDydIXcsGSWqixBbDzXDx2PrwK:UMa1lMtfAckej3XNL

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1512-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2320-4-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2604-83-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1512-84-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1512-179-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1512-184-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process
PID 1512 set thread context of 0	1512	3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe
PID 2320 set thread context of 0	2320	3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe
PID 2604 set thread context of 0	2604	3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2320	1512	3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2320	1512	3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2320	1512	3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2320	1512	3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2604	1512	3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe	32
PID 1512 wrote to memory of 2604	1512	3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe	32
PID 1512 wrote to memory of 2604	1512	3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe	32
PID 1512 wrote to memory of 2604	1512	3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - Suspicious use of SetThreadContext
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3c00f72d38d1dece37f5604436bc8909_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - Suspicious use of SetThreadContext
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\24FC.4BA

Filesize
600B

MD5
138a9b242192c75b1a95bada8d368b5c

SHA1
438dfe3cb2dd24c2011303ef3cc78af0234c81e9

SHA256
e8e2990707d81e51d904d4f9e31c5f94a9964c10ef8db36b01b4748645f2833b

SHA512
e348a67ea70310ec0c68f6cac0e303e03ae6aeb63f3e5190f826c5c8045dc00325280b4ef6118d30d9750d7a555905d1aa01411f7e3bd7df99b9be307d0fe424

Download Submit
C:\Users\Admin\AppData\Roaming\24FC.4BA

Filesize
1KB

MD5
ebe7339b2d5bb569ef171ee1d9b0bf19

SHA1
a6b857c0cc736f4c9b68300f53083d57c3d9f8d4

SHA256
e4ef33bf809aff571e1e0a4c52b49c3eb1227fa5ff3d397fd49352aa89705fc3

SHA512
1fbdf6a0dae87f12cc96f23dfa6f917bddf352d69f3f7c96bcd92ed90fc00fcf532c290c67e6cf35249aa0bfee13817c5ab5370e9343f99f0728401fb4acaf3a

Download Submit
C:\Users\Admin\AppData\Roaming\24FC.4BA

Filesize
996B

MD5
a953a1056419749627500960e17a2abd

SHA1
74d936a3b0be3447eb375644b6b00d6ee2bb4c41

SHA256
27dd8a40889b46fa6c86d86bf6185397aa9537ab901cbd31de1dbd9f00b0bb32

SHA512
f6863f4751f9af32efab92e7faa6691dca2f8e9bc492d5cfa6fe2fccd1b3e6a20c491eda0842e147c05b49b5df7530a53694b4a2919c8a78d1f7bd3ab681dff9

Download Submit
memory/1512-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1512-84-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1512-179-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1512-184-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2320-4-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2604-83-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing