4ac262c44085af2e001f4c16d80dfa6bc9b7437c19044748304014b4ce4c25d0

General

Target

474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe
Size

189KB
MD5

474e146922b8df4c3f5038bcf1a34b1a
SHA1

b02d35ebfce1a5dafa68db396113090de228f843
SHA256

4ac262c44085af2e001f4c16d80dfa6bc9b7437c19044748304014b4ce4c25d0
SHA512

62e78a10b708900c8aad13d4657e8e5a8b2b5f2843b08c626a6538952094774d23fa8c4563ebf89db039ab802a154cc7779e42b7e5cd7b60c2948d0e9cc5e2cb
SSDEEP

3072:O23rRquoIPr1n925uyaJKRfUXdHtnxvfgYu4VndJR0OAl8cP1/D8ZphO+K:zVqu5Px925uPkRfUXdHtnOt4VndBo8Ai

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2708-1-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2708-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2780-11-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2708-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2352-121-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2352-122-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2708-231-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2708-236-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2780	2708	474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2780	2708	474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2780	2708	474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2780	2708	474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2352	2708	474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2352	2708	474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2352	2708	474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2352	2708	474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe startC:\Program Files (x86)\LP\4420\97B.exe%C:\Program Files (x86)\LP\4420
  2⤵
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\474e146922b8df4c3f5038bcf1a34b1a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\03D37\95744.exe%C:\Users\Admin\AppData\Roaming\03D37
  2⤵
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\03D37\794A.3D3

Filesize
996B

MD5
59df0f44b959cee7c9fa357d72465ce2

SHA1
546bae03739168b89479bfca15cd9bc5c1514638

SHA256
b2342d34a74fe755b4be8be8d159797dd6993194b65ddb228a194f6d07585bde

SHA512
49394de6c6d39ce62ca45b971873a595e048d451f6ee87d9b9b0b949881bc9d037e21adeb958e2d9d9df8c84b1e3e073d0eabf59fef831ae503828caca006efd

Download Submit
C:\Users\Admin\AppData\Roaming\03D37\794A.3D3

Filesize
600B

MD5
35154b28097424b52fba748af8e034c1

SHA1
45ac9eb2b93c126034fa3aa7734a4ac67bdee3c2

SHA256
e215a9f0282eaf49363835070e7901b7fd368eba3ddf03dc07c17cc74c2a785a

SHA512
be655e26b5d159354dd1d1238707b13eeb9622fd4f2382f141e8d60ee2da411cd3d389274d080825dc40115585ef59254493542bb148fa80c46b28d9ddc25eb2

Download Submit
C:\Users\Admin\AppData\Roaming\03D37\794A.3D3

Filesize
1KB

MD5
a40d5d984203664665ec2f3de6b706e7

SHA1
0fc64ed1e71f8be4fe966989eb9c79922258040e

SHA256
5b6095ae5811b47a2e58ae7ebded1936bbfc55dc76d0ac03a873716932f14465

SHA512
ceca03b39dd142497c84e7dc8aae0757950b0f1f4dc73fe6f2756049e2316723a1b30e11106d547e0bdeefc720d7a600b780fcf6b7f9c44bd73040aff057dc7e

Download Submit
C:\Users\Admin\AppData\Roaming\03D37\794A.3D3

Filesize
1KB

MD5
48bfd8b67107a5ab1117fbe3f60da966

SHA1
49559a5be52e587d40a9df578ee6f2ff8c5ea7e0

SHA256
b42b3126b682e9550339b9d961d0411d2acf3796f7fb0da30f321632e1ed7aa0

SHA512
e83aee7db4432fd60c5b066e48e0b64a2cedcee991df2c2eb0f8e9895b41ffdfb5dfe9e11baed101c4cdf0369851f47cad48d894e22ff8c1e4a2147da53b20ad

Download Submit
memory/2352-121-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2352-122-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2708-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2708-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2708-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2708-231-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2708-236-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing