82ff9ebf12a534bbf3061877aa252843ea7ce8665ac716091a23ad088cd2dfae

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 01:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

59e0221e475e85fa984e16992fced497_JaffaCakes118.exe
Size

379KB
MD5

59e0221e475e85fa984e16992fced497
SHA1

1bfe76c1ec4c8c94d34e427f4896139f12c49b35
SHA256

82ff9ebf12a534bbf3061877aa252843ea7ce8665ac716091a23ad088cd2dfae
SHA512

032e715d4b92649e88028506cdd41cdd5538fa6307661dafd847b8a45614cac76efc28cae104825f367fc3bcee5af9453c1ee118d272078266bbbdaaff8b066e
SSDEEP

6144:/+qn/00gA1pJzXsWuTHgU9xGJRKeOGDykNwS1F8kqslg92YAoS0LE4:Hs03z8tgkGJRxpw4osO2JoS0LE4

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/740-0-0x0000000000DF0000-0x0000000000F2B000-memory.dmp	upx
behavioral2/files/0x00070000000234bf-7.dat	upx
behavioral2/memory/740-5-0x0000000000DF0000-0x0000000000F2B000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 4336	740	59e0221e475e85fa984e16992fced497_JaffaCakes118.exe	92
PID 740 wrote to memory of 4336	740	59e0221e475e85fa984e16992fced497_JaffaCakes118.exe	92
PID 740 wrote to memory of 4336	740	59e0221e475e85fa984e16992fced497_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\59e0221e475e85fa984e16992fced497_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59e0221e475e85fa984e16992fced497_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\515.bat
  2⤵
  PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\333317.exe

Filesize
379KB

MD5
59e0221e475e85fa984e16992fced497

SHA1
1bfe76c1ec4c8c94d34e427f4896139f12c49b35

SHA256
82ff9ebf12a534bbf3061877aa252843ea7ce8665ac716091a23ad088cd2dfae

SHA512
032e715d4b92649e88028506cdd41cdd5538fa6307661dafd847b8a45614cac76efc28cae104825f367fc3bcee5af9453c1ee118d272078266bbbdaaff8b066e

Download Submit
C:\Users\Admin\AppData\Local\Temp\515.bat

Filesize
177B

MD5
4146b3ca71d002a0cdcf0c7d10998263

SHA1
4bc300a50de06cfcc4182c13b48b6b519af2aa0d

SHA256
7ea5d73dc35ca6043fb7ed37e36628224f1a341aa164ac2e1d12dd4e4fbc7748

SHA512
a22642880c9da77bfe67bea82d6d631f0125d3702993f64d87fddc871fcdade3a4cf09bd478e47320e19c66387ecd9d4aee39bbf71c3218783295584fa1dc45b

Download Submit
memory/740-0-0x0000000000DF0000-0x0000000000F2B000-memory.dmp

Filesize
1.2MB

Download
memory/740-5-0x0000000000DF0000-0x0000000000F2B000-memory.dmp

Filesize
1.2MB

Download