59363ea7ef5a7b730128bb753b3e6ebfc9cf867e12ba65e504253d1d11c584f8

General

Target

42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe
Size

181KB
MD5

42a432018731bd22415b5c11e873e9ff
SHA1

7b7c37e2863af26efb2b20ec49129963f46088b9
SHA256

59363ea7ef5a7b730128bb753b3e6ebfc9cf867e12ba65e504253d1d11c584f8
SHA512

1a43a48a93987ab1f02647b4fa8df45544c59b5940a9341bf080d94873443311c81eab4bd31d5a9c6455cf6ee9e1e221f2811fc18a3951d556d23328c5a35c3b
SSDEEP

3072:R0cEKlASKLlGSGRpigU6QgCAnouKOPDJvGcZWmK/NlNXeO3qr:KsAmRpigURAnoY9eb/Mj

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2740-1-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2740-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2688-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2688-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2688-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2512-74-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2740-76-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2740-179-0x0000000000400000-0x000000000044E000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2688	2740	42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe	30
PID 2740 wrote to memory of 2688	2740	42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe	30
PID 2740 wrote to memory of 2688	2740	42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe	30
PID 2740 wrote to memory of 2688	2740	42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe	30
PID 2740 wrote to memory of 2512	2740	42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe	32
PID 2740 wrote to memory of 2512	2740	42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe	32
PID 2740 wrote to memory of 2512	2740	42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe	32
PID 2740 wrote to memory of 2512	2740	42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\42a432018731bd22415b5c11e873e9ff_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EFA3.5E6

Filesize
1KB

MD5
6961f5a3160a4cffbf87c97fd5ebc2e1

SHA1
2e26ad030703d59096e2c67bc481b24eabc7f5f4

SHA256
1681f35310f4899269a4b23114866e0b417555ac055ca31b1158117211c23952

SHA512
5f0bc8dfe1f1e23015ff9e5b66946fa8c20920d9dbf78daddeabc429a9aa1d9faf814562f1f288eb1c9f195fdcadb67f0577f2626568a5c6a31fca403265950e

Download Submit
C:\Users\Admin\AppData\Roaming\EFA3.5E6

Filesize
600B

MD5
7d9869d6c13ec46aaa653e0a39fc4336

SHA1
6b4516a9d507445821d5e5d758ac48dc52ccf07f

SHA256
9dcb9362a0cd3e136b605848e6327a8f43bce354bcabaf4498c92011960c237a

SHA512
defccb395ed0fdb2ba99bdda6b4abc915550c9ab8e01b551c4bee3611df56943f1f16b056aa2a2d99691652b96132d06f8bc8a4faaf07ce47dddbb7935b63e80

Download Submit
C:\Users\Admin\AppData\Roaming\EFA3.5E6

Filesize
996B

MD5
04cc471e4f2c90f4b3d5f6bad860383a

SHA1
ac7a2f615bd162844fb54e03bf3be8fca7dc7758

SHA256
f069bc88551e12d9a0c4c45d55bf04822f26c30d5494c80cd8361af4a7e8bba1

SHA512
b0b08a64ba73fddc1950de69ba6f3a12e6d01561caf98895ec797dcd560cdd18f297371f24d1689b09439134d9e36d36823015dfefed037b20b59448261c77f6

Download Submit
memory/2512-74-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2512-75-0x0000000000635000-0x000000000064F000-memory.dmp

Filesize
104KB

Download
memory/2688-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2688-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2688-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2740-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2740-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2740-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2740-179-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing