441a72ebea39d31458419447bb3e688c37e7c300bf9153ab1f26075ee01f94ef

General

Target

6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe
Size

212KB
MD5

6fa5c13043126671354e09f4da2c1bf7
SHA1

3a83e1b5073e8af337ee8a496c69d1ce95d1e436
SHA256

441a72ebea39d31458419447bb3e688c37e7c300bf9153ab1f26075ee01f94ef
SHA512

a53bc9bebfba50dd3cfa0b6fde63235f8d2cd4269b302506b1fb0c5986a18463072332205fb14893287806e3afa170f05741c53960e613138857dd151d7f67b9
SSDEEP

3072:Mt959W8lgzl/yNauKpiqFXJwEvPH+pNx/sRlX96aq1gpz7BwECAgS8eP9gFh+HL:MtDXau8lXJHXuDUT6rgV9SAgS5PS3+H

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2276-1-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2492-5-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2492-4-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2276-14-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2564-83-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2564-85-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2564-82-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2276-193-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process
PID 2276 set thread context of 0	2276	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe
PID 2492 set thread context of 0	2492	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe
PID 2564 set thread context of 0	2564	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2492	2276	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2492	2276	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2492	2276	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2492	2276	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2564	2276	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2564	2276	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2564	2276	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2564	2276	6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Users\Admin\AppData\Local\Temp\6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\6fa5c13043126671354e09f4da2c1bf7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\994A.6B9

Filesize
1KB

MD5
d76c94af7f7e6f2848bda2f87fe5ff51

SHA1
18cd79779f92de06b1e5886e395195b3e5ccca66

SHA256
747be73198dee4ed88b8b5b60498b8f32ded674700cb5a584b352f46b7370bd6

SHA512
53b71d2d0ac53c7952cb531ca85cb9ca6cd5aa968f351ed735c3b3c77455b612b0786a328e7e3b79892f01dad1b466dc35210956b0bb476e08f29c9ca758fe63

Download Submit
C:\Users\Admin\AppData\Roaming\994A.6B9

Filesize
600B

MD5
bd5490637768d3cbc923c42e36e0395a

SHA1
03a4fb15de75d8bbc9b6b76b4b67378eb2ff2689

SHA256
7eeaceefc3b0e3fce41632e671d9ec9d56b1a66b3b61fec1f84fcb2d7caee910

SHA512
51c998cead7a21161ce7e7ddf0452bc98ca82862d68d764195ea913a0a9a39d0caf060315429ef7202880e4a39218174115b8ca17237bea59ab6b0f01caff1ed

Download Submit
C:\Users\Admin\AppData\Roaming\994A.6B9

Filesize
996B

MD5
60f8fbef8e3de76bcc2900f25aa0470a

SHA1
072d7b5d808ce65ffe1f8afe6badeaa0bfd4611a

SHA256
c68b9f48348037fefa4ce401d3b48486a9ab5171e3cf005ab19722e8e46f5762

SHA512
bf2cd875c7fb589a8375263a1847c856f59440fcf43a1219ec923f93665a637e9defff5a4ed7186e1d05639679ceeb0b97df5231a013007c2389adc5007109a7

Download Submit
memory/2276-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2276-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2276-193-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2492-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2492-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2564-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2564-85-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2564-82-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing