3c8dc03f2ccd069a7f4df697a0a6c2e91f622698ffe82eefc1cd8f06ad4c60be

General

Target

865fa84be992429ab8a73b855b722086_JaffaCakes118.exe
Size

173KB
MD5

865fa84be992429ab8a73b855b722086
SHA1

3ccf1bf78f34b7cb316fd6a88557211a783f6e95
SHA256

3c8dc03f2ccd069a7f4df697a0a6c2e91f622698ffe82eefc1cd8f06ad4c60be
SHA512

0684aa4c7656ee012b625e2e8bb5007382f304970d6954632cf73952f40bbeb2ae4e762c6fac8b66bb97c88e590223f6d32f5145f775402c381848c90a248fe1
SSDEEP

3072:X4DnmRpasUOKy+3SaBEIfuxdOgb7c1SYVvG2Rone+zYE/bdget:X4Dnm7asqiEEIfuxfbY1NXRx+6et

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3068-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2456-7-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2456-9-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1744-76-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3068-78-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3068-179-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	865fa84be992429ab8a73b855b722086_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	865fa84be992429ab8a73b855b722086_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	865fa84be992429ab8a73b855b722086_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2456	3068	865fa84be992429ab8a73b855b722086_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2456	3068	865fa84be992429ab8a73b855b722086_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2456	3068	865fa84be992429ab8a73b855b722086_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2456	3068	865fa84be992429ab8a73b855b722086_JaffaCakes118.exe	30
PID 3068 wrote to memory of 1744	3068	865fa84be992429ab8a73b855b722086_JaffaCakes118.exe	32
PID 3068 wrote to memory of 1744	3068	865fa84be992429ab8a73b855b722086_JaffaCakes118.exe	32
PID 3068 wrote to memory of 1744	3068	865fa84be992429ab8a73b855b722086_JaffaCakes118.exe	32
PID 3068 wrote to memory of 1744	3068	865fa84be992429ab8a73b855b722086_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\865fa84be992429ab8a73b855b722086_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\865fa84be992429ab8a73b855b722086_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\865fa84be992429ab8a73b855b722086_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\865fa84be992429ab8a73b855b722086_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\865fa84be992429ab8a73b855b722086_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\865fa84be992429ab8a73b855b722086_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A4BF.60D

Filesize
300B

MD5
1354e8fd784a7f362d5a6ef9be3d0cc5

SHA1
6b45304b0a264db0da4add0f2bd3d478421f5200

SHA256
88ee72527c167964ef70316e4e1459c45e8690a88601f0c932042c70ecf4ccfe

SHA512
a76ac2fd9141adc2c0215708f0fca9f609383ca36f9398e954e2836098b5b0f7f5f6d00dcb461036986c225861434fdfdb58b8f096a9b5a761c3d301c2bcb5e3

Download Submit
C:\Users\Admin\AppData\Roaming\A4BF.60D

Filesize
600B

MD5
bfb04e88ca2396a796fc674adcca1728

SHA1
d694d2a8f039add62c09bb54bddb7f2ee113346c

SHA256
592866c686532a80e0956d63e147e130911ad7c33701165cf8f308398e42b832

SHA512
cf0dda8b21886539db77829ad3e2a5ce99422aafa485e9cf11edd0070427225dc50a04e8ae0f42f9c203893d488e511140e4df72f2b982216cdcc8792771607f

Download Submit
memory/1744-76-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1744-77-0x0000000000669000-0x0000000000683000-memory.dmp

Filesize
104KB

Download
memory/2456-7-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2456-9-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3068-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3068-78-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3068-179-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing