strela | ef5a4eb40733a378ba1dbfdeeecbcd0ba776d1fe7c293a703ee1431cc2a5f248

General

Target

3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
Size

5.4MB
MD5

3e1b475608a0f58b4f611025edbcb99b
SHA1

987e3e93bd65b4e17d341fe2c7986fa596249b33
SHA256

ef5a4eb40733a378ba1dbfdeeecbcd0ba776d1fe7c293a703ee1431cc2a5f248
SHA512

67acaf217150b3a073018c83614c61e8c9b2d58ce4ab849b3973d1eb024d9227aa8200caa9348b3313b3d43ea5c66bdd5e582d0b2e24fa64b672afe7361025c3
SSDEEP

49152:OQJ3vdwlU0AP5kdYTDuvFFrj1qWsWG9Adva5yheSWYJ0q:74U0AP5GYTMFFrc0va5yheSWYJ0q

Score

10^/10

Malware Config

Signatures

Detects Strela Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2232-0-0x0000000000400000-0x0000000000993000-memory.dmp	family_strela
behavioral1/memory/2232-127-0x0000000000400000-0x0000000000993000-memory.dmp	family_strela

Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-0-0x0000000000400000-0x0000000000993000-memory.dmp	upx
behavioral1/memory/2232-127-0x0000000000400000-0x0000000000993000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\G:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\H:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\K:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\M:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\S:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\W:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\E:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\N:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\O:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\T:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\U:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\V:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\I:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\J:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\L:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\P:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\R:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened (read-only)	\??\X:	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F4518FA1-3F92-46FD-8EB4-89AF02E20B9D}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F4518FA1-3F92-46FD-8EB4-89AF02E20B9D}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	C:\Windows\3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.INI	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2232	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
Token: SeRestorePrivilege	2872	msiexec.exe
Token: SeTakeOwnershipPrivilege	2872	msiexec.exe
Token: SeSecurityPrivilege	2872	msiexec.exe
Token: SeManageVolumePrivilege	2604	SearchIndexer.exe
Token: 33	2604	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2604	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2232	3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
2440	SearchProtocolHost.exe
2440	SearchProtocolHost.exe
2440	SearchProtocolHost.exe
2440	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2440	2604	SearchIndexer.exe	33
PID 2604 wrote to memory of 2440	2604	SearchIndexer.exe	33
PID 2604 wrote to memory of 2440	2604	SearchIndexer.exe	33
PID 2604 wrote to memory of 1264	2604	SearchIndexer.exe	34
PID 2604 wrote to memory of 1264	2604	SearchIndexer.exe	34
PID 2604 wrote to memory of 1264	2604	SearchIndexer.exe	34
PID 2604 wrote to memory of 2416	2604	SearchIndexer.exe	35
PID 2604 wrote to memory of 2416	2604	SearchIndexer.exe	35
PID 2604 wrote to memory of 2416	2604	SearchIndexer.exe	35

C:\Users\Admin\AppData\Local\Temp\3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2440
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:1264
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
914ccd5abf3969f3b7a886c57cec5202

SHA1
db8e5f8c1f038a8f3401b49d2ea394f3995ec18d

SHA256
1125a4e1266c297122c7341938776ad9a5bbf782e2dfd2db7589787fcda31d30

SHA512
0207b8db600c0eb47b46f663f9eeb09db5c71fab34e5221b4611413a7a19629821986da37c2ff5cb06997c09df220be59cec4d0e1cdaf567f082c89782056a77

Download Submit
C:\Windows\3e1b475608a0f58b4f611025edbcb99b_JaffaCakes118.INI

Filesize
1KB

MD5
cd13a6532dec6b9e7e4f14462e3e287c

SHA1
922f21847005e8937b65b3039445efd73403e183

SHA256
a5aca428d3ab62816dff3abc76533b15b81d0273ad828ca16a7690921dee6a4e

SHA512
498d0e8a4fcffd2dc7975668b4b9770cd16bcd99e571926432bd3c65c5a3451e94599b96bcd73525eef1924e96c8d85fc0cc60b411a164e29f411eada0b86d50

Download Submit
memory/2232-0-0x0000000000400000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/2232-127-0x0000000000400000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/2604-34-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/2604-18-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2604-60-0x0000000004240000-0x0000000004248000-memory.dmp

Filesize
32KB

Download
memory/2604-61-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/2604-67-0x0000000004200000-0x0000000004208000-memory.dmp

Filesize
32KB

Download
memory/2604-69-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2604-78-0x0000000004250000-0x0000000004258000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing