ea23e1e61047167cbf36b8c3d4f8dbdfe98aff26398e25f5eb5edd6138dad1d0

General

Target

7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
Size

200KB
MD5

7150cdd8f39d8f6daca62172a1c5616d
SHA1

a72981bb8ebac15bb2bf8567f1ee4a3fe7185ef6
SHA256

ea23e1e61047167cbf36b8c3d4f8dbdfe98aff26398e25f5eb5edd6138dad1d0
SHA512

e2b32c23ac3b89b5e044d9093c1ebae6fd5d7c5729c542d09e82cd0e9e4b9fa37d92c0c43d2b6275770b55c9c02915bb862a2e1f493d4aeb087434cf279dbd72
SSDEEP

3072:XxCRlIfzpTYjHXrIIqeFqsXsKOue1u17bK20IyUjOGHatXAnpUM8ICU6ty2CKi:GIf5a7dqLAFRbByUjOBtQ+tG6ty2CN

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1740-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1740-3-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2756-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2756-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2756-15-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1740-16-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/3040-123-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/3040-122-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/3040-124-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1740-245-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1740-312-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2756	1740	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2756	1740	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2756	1740	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2756	1740	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	30
PID 1740 wrote to memory of 3040	1740	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	32
PID 1740 wrote to memory of 3040	1740	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	32
PID 1740 wrote to memory of 3040	1740	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	32
PID 1740 wrote to memory of 3040	1740	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe startC:\Program Files (x86)\LP\24CA\1B0.exe%C:\Program Files (x86)\LP\24CA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\AE497\3C324.exe%C:\Users\Admin\AppData\Roaming\AE497
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AE497\7485.E49

Filesize
996B

MD5
3090892eb778146692ffb7522185772c

SHA1
d527b25c48b4574a8375ad4a36fc8774d1301c48

SHA256
e7b01816d73dd5e48819ba291acb06550832cfe143b8fcfdc82987ac35143aff

SHA512
cb7e992c2f852045d5011040d8bb317815d225a117c4f5c3ef1529c1b4d707d5ec188ed4509323029bf934bd2210966bdb80b3323773ba575f6d351c4afb3596

Download Submit
C:\Users\Admin\AppData\Roaming\AE497\7485.E49

Filesize
600B

MD5
83b9f4eb2c65247a5260053f324008d3

SHA1
7b30c8773b9bb254e32e5234505ce6ed6d09cf9d

SHA256
619034280d3ff7ad0770334d9a0ee0271e6af40e49ab1cf6518540a0daec4d0c

SHA512
729f2a9f605bfc2fffaf7c2af32bda892f00f34defcb5f005295f90936f2fc75c671cbc6320e51828fcdda34180605d104ae9d27e0b39904fc905d373ffb7dff

Download Submit
C:\Users\Admin\AppData\Roaming\AE497\7485.E49

Filesize
1KB

MD5
6d8f6fdfce6262969a5832bd0846ab86

SHA1
a7d47089aaae8e9873c652d33530b46533d3c531

SHA256
3b6c9af9fe46d924793e15cddad9800409bce4e9790cfdfb98556cc294564ac0

SHA512
54fa1f408f3480a294aedf451e59e459f8445d90e9af24c658a5a0d6066b57f4fe1edd721fb7a2227d5fac12b16825481c921de2f566a027529c95c8ca6905cb

Download Submit
memory/1740-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1740-3-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1740-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1740-312-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1740-245-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1740-16-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2756-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2756-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2756-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3040-124-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3040-122-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3040-123-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing