146bf4a9cfbe81d8022474ac64f8efe375f6175ed131c3e8a7b6307678bc7518

General

Target

b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe
Size

177KB
MD5

b53a404cb29fa6f173964c1a83a50a2f
SHA1

035e19be09bb4fe5e36483b0edce76b9a6f9eb05
SHA256

146bf4a9cfbe81d8022474ac64f8efe375f6175ed131c3e8a7b6307678bc7518
SHA512

f0a8632fc51336c244a0bbdba80170071328193ad2d27ee5e87443562c4360c9224def9545ad0ebf3ac38efc288da27071d586927045878968333cf8afe7dc7f
SSDEEP

3072:oAalUMyDosbO9Wo29J1BOWn4ylJIHksnVatSj6Rfv/HEcTKB9TX:ozU1qo5n1fIEgVaAGBHyBJ

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2060-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2740-7-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2740-8-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2060-19-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2216-83-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2060-195-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2740	2060	b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2740	2060	b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2740	2060	b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2740	2060	b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2216	2060	b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe	32
PID 2060 wrote to memory of 2216	2060	b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe	32
PID 2060 wrote to memory of 2216	2060	b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe	32
PID 2060 wrote to memory of 2216	2060	b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\b53a404cb29fa6f173964c1a83a50a2f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D4BB.7F1

Filesize
597B

MD5
24b283e7506619d7e17acc84b239c63f

SHA1
5d6fb8528405eaf31f57018a7be2681092d41519

SHA256
894068365e77b2f8f8520754f71ef5045514d9a1d24235cbadb8af4eb1f58d85

SHA512
eddcd83ea4db955351178eb1a0536264ce16ec0b9b847952ef25d714adf7a3d9002bb636495341a3ed7703683805ec5d1e312b71ee6a3dc1a4d794ccbc2999a3

Download Submit
C:\Users\Admin\AppData\Roaming\D4BB.7F1

Filesize
1KB

MD5
acefb08fcfec018ada57a77aa5d1295c

SHA1
13f75e7aebd03bb9ad27240b28d06d27da3ecf18

SHA256
a650be447653677f2bc282bae6c5d43c1ea2c5491875e7ef7ad070ae393eeafe

SHA512
6a78c060321c897cc644824429eb2933bcfd6983e6aa56645d4ceb3a65ceff39536968cd360638ebe2cda503e51e73291e0e8f90f777e7b694ea28ebd2bc51e7

Download Submit
C:\Users\Admin\AppData\Roaming\D4BB.7F1

Filesize
1KB

MD5
7305079b307e29aa4e00f92bac916aae

SHA1
26c1f5322bf8f3fe597b34c7bf563f8081af180f

SHA256
93591311ec9df145f2535a399eca7dd46d155b6571329345387aee198aeeef96

SHA512
ac45cc751034a823e62ec5704bf3df03b0b696eb71343b1df205d456a02ddb084672bf5fbca9de2fc78ffe728d46cda0cadfc90db737f990d08b3b7fc32db614

Download Submit
C:\Users\Admin\AppData\Roaming\D4BB.7F1

Filesize
897B

MD5
1da05fe1d6081d36c71e9093662b9a34

SHA1
0cd42b79d7934426533eaeecaddecba81d627b22

SHA256
503206640fc72104ac3fc999b1d49ccc640387ce0f969bcae5e52550c3f4f46f

SHA512
a0a37918fafa6f68f9a6fc1bf83a8938ad3f199a84727c96063b506b04cabbc9df64329eeca5535c29e67ded5ecb47284af2afb41edb274f3371d1a62bee2422

Download Submit
C:\Users\Admin\AppData\Roaming\D4BB.7F1

Filesize
1KB

MD5
cde1f36cd0ceeb24caa3548d215d250b

SHA1
7b0e0f1eb5f14d72966c7f314cf4d74c4148739f

SHA256
0011ad19cf2a79f24cc11bbd78607068049a09aac0715fa49de4b3ab588767c8

SHA512
bd2c63a9dab378055e69c6931e845d92b80e9ee58c327b4ba88631552564aa55ce542ce12d56218910f533349644de4cf108e407fd24eb05190e8815a3b8a591

Download Submit
memory/2060-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2060-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2060-195-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2060-19-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2216-83-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2216-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2740-8-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2740-7-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing