e5662f50fb3241a3695bbcd350ff2c258879a7d12a0431690d3f08856f324b61

General

Target

bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe
Size

181KB
MD5

bdce93ec2a930cbbc21bee91d42d6987
SHA1

14484279e657b1ce0b819cec550268f6ba16f7e0
SHA256

e5662f50fb3241a3695bbcd350ff2c258879a7d12a0431690d3f08856f324b61
SHA512

ec2778f3aad86c0eb3e4a0422cfcf08d572fb3eccded8dd4bcd5278123fc69ea529cf397a793ffa1e3a59353cd7da13981ed4dc48b7cd0765e881d949b2a0b76
SSDEEP

3072:lJZcJkapqDjsCnXUtBzCR+yFiiLqhRb1390KV56euVLKXH4vrJdIe2p8:JcJkapqDnXkBzU+4qHbVBLuVO34DnIH8

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2500-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1988-8-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1988-7-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1988-10-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2500-15-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/536-78-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/536-77-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2500-152-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1988	2500	bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe	30
PID 2500 wrote to memory of 1988	2500	bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe	30
PID 2500 wrote to memory of 1988	2500	bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe	30
PID 2500 wrote to memory of 1988	2500	bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe	30
PID 2500 wrote to memory of 536	2500	bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe	33
PID 2500 wrote to memory of 536	2500	bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe	33
PID 2500 wrote to memory of 536	2500	bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe	33
PID 2500 wrote to memory of 536	2500	bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\bdce93ec2a930cbbc21bee91d42d6987_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D8FC.C72

Filesize
1KB

MD5
7d77057b07917490df14e7ea33081b44

SHA1
e1cb1b7622d576874fe3fedc97318bb5b21ac91f

SHA256
8673130ba7be4560ef9452c0dc1bf00f59dbc2ce5a3778e3768e53ff9b375244

SHA512
e9b8f2d7cced75970eca5ccc60af0dd01e178f91ab6711cf374aee7d7dcfdf63cbe307803503a379c5441fdb3c40941c4c19b1ff3a2ce5dc20b59cca0741d249

Download Submit
C:\Users\Admin\AppData\Roaming\D8FC.C72

Filesize
600B

MD5
17dd02a656d250cced024d5aa31a09d3

SHA1
16767a4de9cbd42acfc8f8956ca9b699d8a1691a

SHA256
b2cbab1036ec9d82f86ba763641f6e6f2208f287c9a4a66bde59f8750551352c

SHA512
5f2bc6b3dd3614cb267135568d6c79ec3d9d0ab82bd41898096455bfeb81235554a174e9041b5ad15da0b6f238bd390671172231e0da141929d860cb80533f60

Download Submit
C:\Users\Admin\AppData\Roaming\D8FC.C72

Filesize
996B

MD5
cf7c7d4be6500618d614650ef0b04b43

SHA1
c52919790bce7b81ebabc51ac848d9c2695a71ac

SHA256
7f2cb5e05242a4535a379226fb9988ad656be8e06be009e6b7266a6103c6419b

SHA512
498762a35ab0dbc496741edcf010254ea66064a8841135dcb87af01a6a0636d22d25f3f99784f45bd652901883edee806988faf652b38fd2d354aef86dbb12d5

Download Submit
memory/536-78-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/536-77-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/536-76-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1988-8-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1988-7-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1988-10-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2500-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2500-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2500-152-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing