b457eff3de5a2725fcfdfe9d0908af2dd272b669d78275bc62bc3734e97947c7

General

Target

a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe
Size

213KB
MD5

a6b7faea8a82eb496bd131d3644143cc
SHA1

2be5a98f8bffa5613b57ff2fa1c454d22e35efb9
SHA256

b457eff3de5a2725fcfdfe9d0908af2dd272b669d78275bc62bc3734e97947c7
SHA512

04cec2d112a58811f96ec77b0a548855983ab3f92855ff1952a3c3816fc3edbf765fb8a19a9db4fab36e0ad398a64f2418f6b40627ff2fa4c2e8a3906630c7f1
SSDEEP

6144:Kz8RM0nCpXDNUyztFDB+L7w8Wm8y/xt762xMe:m8RM7TUxHw8SU762xMe

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2116-2-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1084-9-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1084-8-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2116-14-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1556-79-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2116-184-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1084	2116	a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1084	2116	a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1084	2116	a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1084	2116	a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1556	2116	a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe	33
PID 2116 wrote to memory of 1556	2116	a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe	33
PID 2116 wrote to memory of 1556	2116	a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe	33
PID 2116 wrote to memory of 1556	2116	a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a6b7faea8a82eb496bd131d3644143cc_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6A1D.3D1

Filesize
1KB

MD5
daf53b4d9f95d420f2a5170905c619d5

SHA1
52744fc11af43275fda3d4c87e56af9ecfb2b5a6

SHA256
b6daff8a36e0fad582dff1d2a4aa7a229a791878128c90b9228c7c7de15e469b

SHA512
4cd03704e2432436351bfa8123f62cf3765d8e344e55540759890e31a99238d279fba5df1ad6af9df2029602b6a525b15a832f9c48f9d82f253429cceb8cf032

Download Submit
C:\Users\Admin\AppData\Roaming\6A1D.3D1

Filesize
600B

MD5
a45e54ce1c9a8bd1b0ab0d885b25d4ec

SHA1
0b09585a7f609756fb4859680021bbee78533666

SHA256
cd1f0caef83a353ad67efd56a12b71fb5e7479633b45932914180591b979b47d

SHA512
73219141295573086d83187322303d648562a70e13d894c69e834df13f48d8d6e3261102941f11de4c7b828d409d5d72fa1d1110acb06f8319b767d82ea31163

Download Submit
C:\Users\Admin\AppData\Roaming\6A1D.3D1

Filesize
996B

MD5
5127fdc0ca1add17449fc983b72878db

SHA1
6a41e35d04703d6dff95c1586212ffeaf9f404ed

SHA256
77f45012d758d91f0fc1a22465a440427c2cae85b4046a21ec263b61d947a5a4

SHA512
d6cc23e353167ee0a8a9f3395d1e183d06c54a7f4a22e07b16ac763d9b6495493e77f5a0c3b1cb6b5ff1c001df2b128ab319a2a11b76042a0cc574be26eab24f

Download Submit
memory/1084-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1084-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1556-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2116-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2116-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2116-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2116-184-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing