8082191d6f788b663a2409248860faca7c935eecf1038859e79417243f8af41e

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c806cdb73d9a35f2c6b3bd3453aa6de_JaffaCakes118.exe
Size

386KB
MD5

5c806cdb73d9a35f2c6b3bd3453aa6de
SHA1

5ea2b59333256f1552cf2f0f468fe771fdae9d46
SHA256

8082191d6f788b663a2409248860faca7c935eecf1038859e79417243f8af41e
SHA512

2cccf0afd7d951d2f7ab0d999a267c63218a51056aa2c0e6fbedcdc7b0a4b311f774689990d760e41020c540b534a9141e082f95d975ffff9dbe65f44cc4f3cd
SSDEEP

12288:5IoonlwpyBJ6SS1Ub7KPMsUxDn44K5oS0O22:+oolDjX+MsCD44z2

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-0-0x00000000013D0000-0x000000000151F000-memory.dmp	upx
behavioral1/files/0x0008000000016d3a-10.dat	upx
behavioral1/memory/2504-11-0x00000000013D0000-0x000000000151F000-memory.dmp	upx

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2584	2504	5c806cdb73d9a35f2c6b3bd3453aa6de_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2584	2504	5c806cdb73d9a35f2c6b3bd3453aa6de_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2584	2504	5c806cdb73d9a35f2c6b3bd3453aa6de_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2584	2504	5c806cdb73d9a35f2c6b3bd3453aa6de_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\5c806cdb73d9a35f2c6b3bd3453aa6de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c806cdb73d9a35f2c6b3bd3453aa6de_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\874.bat
  2⤵
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\63485.exe

Filesize
386KB

MD5
5c806cdb73d9a35f2c6b3bd3453aa6de

SHA1
5ea2b59333256f1552cf2f0f468fe771fdae9d46

SHA256
8082191d6f788b663a2409248860faca7c935eecf1038859e79417243f8af41e

SHA512
2cccf0afd7d951d2f7ab0d999a267c63218a51056aa2c0e6fbedcdc7b0a4b311f774689990d760e41020c540b534a9141e082f95d975ffff9dbe65f44cc4f3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\874.bat

Filesize
175B

MD5
31ab146343094952310e65821c2b87be

SHA1
3be49fb88223e423e9b6e07b279a7faf0f31a9af

SHA256
626afabdc3853a76cddbdf8b1b163e4fb62a1d6791ef156d8dcd1e5f14236ed8

SHA512
ba554ba3cc7eea4ca2418ef53082cbfbc4fa9bd36d90f8bc766fa94cd27cb5f7d6d973e262e7d6e029b4607859400824971da640c3bc82d7f22cb6213b37584c

Download Submit
memory/2504-0-0x00000000013D0000-0x000000000151F000-memory.dmp

Filesize
1.3MB

Download
memory/2504-11-0x00000000013D0000-0x000000000151F000-memory.dmp

Filesize
1.3MB

Download