b3fded9fc0dc26ed46c5977b9e72e58e91c3e49a99d17a912dae53beb7cabd12

General

Target

7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe
Size

206KB
MD5

7841a99b47d35a121afa5f6065a73c23
SHA1

4e99899fb4c76f94d9948fe2c5074a0508524afb
SHA256

b3fded9fc0dc26ed46c5977b9e72e58e91c3e49a99d17a912dae53beb7cabd12
SHA512

7cc3c3ca8a26ef44a87d8a703b5cc3ade79a7f7374ffab11e1e0c04b6f0bd218a46091ed3ceacda6b258e3472a87c87e618307f53c74f21ff638593a9333bf92
SSDEEP

6144:fOdPMlDovWyRsIkQ2MqPGlMy4kuG7b+Z/PZbq:fOKlDSWieRLhMCZ/B

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-1-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2836-11-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2836-12-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2836-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2012-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/928-93-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/928-94-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/928-95-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2012-167-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2836	2012	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2836	2012	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2836	2012	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2836	2012	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	30
PID 2012 wrote to memory of 928	2012	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	32
PID 2012 wrote to memory of 928	2012	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	32
PID 2012 wrote to memory of 928	2012	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	32
PID 2012 wrote to memory of 928	2012	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\26B8.E65

Filesize
600B

MD5
afe2c87453345208d4df6953f0bc82d6

SHA1
c3f58911ca5884792da308951c8e80caa0525c42

SHA256
03492e66f330753dbf17d8e57e84293fe73549fe1a9392bd88063aa4b4aacb1b

SHA512
9d817f0879f8f766aba44f17d58545034ce97a341e1f087419fb734b23e2a788acac7376d9730ebeba3ce7da83e9d58076db6a811317fe676365b475258c151f

Download Submit
C:\Users\Admin\AppData\Roaming\26B8.E65

Filesize
1KB

MD5
b88cc5b748eb5368b2c6e5b105bd3e2d

SHA1
a606a85f302faf007161d523cdb8a268bec311ab

SHA256
b894ca6937b9399dd567dab0ce9baa705fdbcbe49266621b9f695607f54e61f6

SHA512
54ed3427b62d556730309b57031c65793ed5f908c69cb37eb59807c4619706a37c7bc0f7133d8b85c90b809c0dd6f573204dd5ae6ee0f152b7dd7d93d42dfd61

Download Submit
memory/928-93-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/928-94-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/928-95-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2012-1-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2012-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2012-167-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2836-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2836-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2836-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing