abab4d47df4526f2aa83f9e26aaa4305e02a19160e36a3725ce12b9fc928a3b8

General

Target

69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
Size

180KB
MD5

69251e25a27df770a4e22dc1e537072d
SHA1

be1e926112a5e8a96a74b29cb4ae260000c184e9
SHA256

abab4d47df4526f2aa83f9e26aaa4305e02a19160e36a3725ce12b9fc928a3b8
SHA512

09c75c3a37b892639f7567a190845243929393c0a81ada7de3371da27b3140a741d6e17d7d3c0fdbb123c48183c17af10579fe6c787ffbace2f8b2f48bb70668
SSDEEP

3072:r8OcDn7lRP/zxWC7HHeRbm1OweLcIF7lTtdWLev9IknDRUl91OyBX0oMw408O:r8OcDnRRP/N5iRbqOeIllTtdWLev9Jna

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/348-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/348-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2944-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/348-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/316-145-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/348-254-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/348-301-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 2944	348	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	31
PID 348 wrote to memory of 2944	348	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	31
PID 348 wrote to memory of 2944	348	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	31
PID 348 wrote to memory of 2944	348	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	31
PID 348 wrote to memory of 316	348	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	33
PID 348 wrote to memory of 316	348	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	33
PID 348 wrote to memory of 316	348	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	33
PID 348 wrote to memory of 316	348	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:348
- C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe startC:\Program Files (x86)\LP\B146\9BF.exe%C:\Program Files (x86)\LP\B146
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\674E8\C84B1.exe%C:\Users\Admin\AppData\Roaming\674E8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\674E8\8DD6.74E

Filesize
996B

MD5
94a65219b7bfdf6e119a864cf104e469

SHA1
a41724a81746bcf09404705db362fd4afa319167

SHA256
5f39bc6829f3cfb52808757aa2258a47c7d908f0b6c5fc77abff0540b8a3e3ce

SHA512
6a3700322cfecd2077c6d76f7dab333da99fe18b8ce2513cfb26425e6d4596464107fbdf610ec1a505dc47ecf6a144bbc1d7e6e1a50cc1226c14dd7f3dfa0e28

Download Submit
C:\Users\Admin\AppData\Roaming\674E8\8DD6.74E

Filesize
600B

MD5
b591c279236b9057ff74e1734770f464

SHA1
68d8585eb76f011d18b90cfec27f2674a11c0ee1

SHA256
321e441071e5edbce6174b71641ae0454db5c098d4e18ddb6c018eb79f2bc2e4

SHA512
aaf21fd3f71efeacd17586751f053eda5309434cd0b37be826521f5e477951050a62852edbf139975558dba7ed82d44259d647c5b4574a13b79dae101513a540

Download Submit
C:\Users\Admin\AppData\Roaming\674E8\8DD6.74E

Filesize
1KB

MD5
fa226284be2e01b3d0485dc0e49e4ec7

SHA1
419cd4b8a72d1da2e2e939e6556fa5a5aca151dd

SHA256
ecf076060a7984c923b911970195f5f7678d4554aa93d7eb738b93563e36de38

SHA512
16d781a17e966dcaabbe10492322463e47ebe4017cee52de845e4ee5611ccda873d5bc75442777b88b763f4c1c91f78fd719b413f80974ec0117a2418e97e45a

Download Submit
memory/316-145-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/348-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/348-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/348-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/348-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/348-254-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/348-301-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2944-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing