93e4d21003f5aea98d1712a1a911e95b8ff3b27a5795783099a4c6d2c06fe74b

General

Target

81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe
Size

192KB
MD5

81ca2049b15cf9a9e9c3bf96ee35e53e
SHA1

4763479e6b46e2ac26db1b642b972e4b8cd6a006
SHA256

93e4d21003f5aea98d1712a1a911e95b8ff3b27a5795783099a4c6d2c06fe74b
SHA512

0a24911ab2a3216339037669529900910daee0a199bc3a5f0aeed6cf1033e6fbd77ff1af4cbec9d3ac82fa2f11df914ce3f2142200a739566b8c491c74613737
SSDEEP

3072:SSDA9TNM2PEakZrGshz7BKLebz2AW/sMrT5lky686da:S0sTNM2PK3WLbsEc86

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3032-1-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/3032-3-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2688-17-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2688-20-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2688-19-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2932-88-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/3032-87-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/3032-197-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2688	3032	81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2688	3032	81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2688	3032	81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2688	3032	81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2932	3032	81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2932	3032	81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2932	3032	81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2932	3032	81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\81ca2049b15cf9a9e9c3bf96ee35e53e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0BEF.078

Filesize
1KB

MD5
8e5f3a43c6741a9766938496830eb1dc

SHA1
32272cf223de93075af979395f61b7e9ea24833d

SHA256
e93913d435ba3214ba90c256f0a31b3387ae57e4946cc4cf422a71b8fc5b69f5

SHA512
665ade4e62f77aa78fb7bc9961ac771b7048d2aa1090218cd81a6ec34acf75b792b402a943ea51d9581ecc1edccacd87f5b148443e51959f968b39c5909f0bfc

Download Submit
C:\Users\Admin\AppData\Roaming\0BEF.078

Filesize
897B

MD5
0b91b6c9cad11c582e0802d621e1d955

SHA1
478d04bf8dd81e27b364d02e6dc5d46d064b828d

SHA256
d3487b8d923e741023e1ed293250e3cf232992abb415e29c1bac88b1a109b355

SHA512
77d6057b207e4add1830658cb1efa5a638dd38b328516dbca0e55d22ceb4a750089f99f129543a76fc8f7c4bb63453d336ec8429d79057876612aa168f7d808d

Download Submit
C:\Users\Admin\AppData\Roaming\0BEF.078

Filesize
1KB

MD5
f855d1d7b4737d0d252e5cf5b7176fb1

SHA1
070cf4448cb334f9add47c9a42a990009d3705ed

SHA256
b660b516207e7e9a51635d727aa4c21ccbedf6b76a980766d369d197c1623fb9

SHA512
f4ca85056593121bb2e23212a4827778adbd273aa6076e764d90c9cc741d1d18b73ff71862882f4f45cf0b25e2090828d1e2c7e02a6a5e0bd4a11d8f5a2c8b64

Download Submit
C:\Users\Admin\AppData\Roaming\0BEF.078

Filesize
597B

MD5
9d4346df6f195d221d27a4d277cc9a49

SHA1
f4a4f4fcf40dd82c5e73656b0a52bfaf3da6eed6

SHA256
f09034ab3680e9df8d7414e9a6a36528e632389532caed010877887935ef74ca

SHA512
73e5823acc960637214dddbbc22d71ec3ce0103975bcb9744ff25b418cc2dae371f9630e31593c39f5cea68721dbbe8d2885c13a848869575f5b639a51432691

Download Submit
memory/2688-17-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2688-19-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2688-20-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2932-89-0x000000000029D000-0x00000000002BA000-memory.dmp

Filesize
116KB

Download
memory/2932-88-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3032-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3032-87-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3032-3-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3032-197-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing