43e28c125a63571f9ef25873b07c1746166e0404f386dce462cfc2b8b27f6551

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe
Size

179KB
MD5

3ca6b8dfdcc8ed3be11e97a4d4b91307
SHA1

ee4dc48655fa2f2a93e55c95c43bd2c287359164
SHA256

43e28c125a63571f9ef25873b07c1746166e0404f386dce462cfc2b8b27f6551
SHA512

937eac19ba251a4a98f38e8f7398cdfeeb6cdc8720e3a081a78a8d0780ddf24c85fc8708828858d0ba3cb6b5e8e6a15d198618a6a484e336711395c2ee140300
SSDEEP

3072:ZOl+3KP6cwD4csJOTfWq9wCA/NcYJwR94tLxEElKFZxuoSbn1ziguuYT:L3bVD+4WqOCAIy5xHL1zLu/

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-16-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1688-17-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1160-143-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1688-338-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2488	1688	3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2488	1688	3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2488	1688	3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2488	1688	3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe	30
PID 1688 wrote to memory of 1160	1688	3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe	33
PID 1688 wrote to memory of 1160	1688	3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe	33
PID 1688 wrote to memory of 1160	1688	3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe	33
PID 1688 wrote to memory of 1160	1688	3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe startC:\Program Files (x86)\LP\C6ED\560.exe%C:\Program Files (x86)\LP\C6ED
  2⤵
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3ca6b8dfdcc8ed3be11e97a4d4b91307_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\D6C7C\CBCC6.exe%C:\Users\Admin\AppData\Roaming\D6C7C
  2⤵
  PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D6C7C\CA95.6C7

Filesize
1KB

MD5
de024c2d836c2ba178b8d9253013c55a

SHA1
f157019334fa78fc66dbc2ed67a71b426ce1f5b0

SHA256
e6cf699c33df2363ec811ab4568445c48335884f407b9bc22b089f8292a4b8e1

SHA512
215dc16f8faaefded978b027afc771ec97c9bd09e68ccedf93c56959e5b98899d14d3b6ae781c460b0a2873e03c8505497856072481e70f5444ba35064edde44

Download Submit
C:\Users\Admin\AppData\Roaming\D6C7C\CA95.6C7

Filesize
897B

MD5
84fe4cba945715e465e444622860b8e2

SHA1
32fa88fbfd977e69cafde18ee616c683fc9e94e1

SHA256
ce0a51e6d338b1e77ba13b47530d48ee253330127d2f433125e27c0a5ed5aca0

SHA512
feb7e325bd97e25b12bca14aee46e5ba8f7b957d894d54f104f5d2ee747b8a9af6d49d1ab3c67356bb2c560bd728f7de47b11bac8193356942af3e9964d6d9fa

Download Submit
C:\Users\Admin\AppData\Roaming\D6C7C\CA95.6C7

Filesize
1KB

MD5
d6b1a5abd197f32f7dc3311df4a10d31

SHA1
d3efe03a4931a5d98b4eea11ffdfc877248018bc

SHA256
51033b083efe9c9b74e58aef4462f9313a0460917c6b234c35ccf4bd49e35f79

SHA512
9fabe7d7e2800e25988c12c740f9c210c104f01dfccaae9281ec7ceeff4487a1c00748344350c00d798cd6424163197ed660cde4dffe710cd30ffaf79bf9a8aa

Download Submit
C:\Users\Admin\AppData\Roaming\D6C7C\CA95.6C7

Filesize
597B

MD5
b5edeeed2e256bd958fce982da0cbbc0

SHA1
8858edb88816359149c3049e6652fd1ec90a95f6

SHA256
65772165ddd35b394e3e9f12f995f4b2a921917667695fe081af3ab89b4068d6

SHA512
6bc030cd60a3845aabbad63c2a72d7f8ae4de230738628c8027ee75b6d6491b1ebb885a2afd00e623c7030fca69bfb49f7620b4b0da0ed0861d8bd1a444737f5

Download Submit
memory/1160-143-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1688-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1688-17-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1688-338-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2488-16-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download