5913d865db67dc2fe7eb012cd6d42af5980582f144940271dc520fc37127d3c0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df5055e47747cdefd2d0f63651172aa0_JaffaCakes118.exe
Size

379KB
MD5

df5055e47747cdefd2d0f63651172aa0
SHA1

e0c83a50cdb56cedd24306dd9b077ed6fbd3302e
SHA256

5913d865db67dc2fe7eb012cd6d42af5980582f144940271dc520fc37127d3c0
SHA512

3ff7096a8e10e77b90270e6e238815950aca97ec83f6f7fa97555af0b9ecbd8b6afe80c137afe136fbd0dd06223867b0d0d13e902c469887eff076754e64400c
SSDEEP

6144:l+qn/00gA1pJzXsWuTHgU9xGJRKeOGDykNwS1F8kqslg92YAoS0LE7:hs03z8tgkGJRxpw4osO2JoS0LE7

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2712-0-0x0000000000020000-0x000000000015B000-memory.dmp	upx
behavioral1/memory/2712-10-0x0000000000020000-0x000000000015B000-memory.dmp	upx
behavioral1/files/0x000800000001747b-12.dat	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df5055e47747cdefd2d0f63651172aa0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2232	2712	df5055e47747cdefd2d0f63651172aa0_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2232	2712	df5055e47747cdefd2d0f63651172aa0_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2232	2712	df5055e47747cdefd2d0f63651172aa0_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2232	2712	df5055e47747cdefd2d0f63651172aa0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\df5055e47747cdefd2d0f63651172aa0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df5055e47747cdefd2d0f63651172aa0_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\479.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\479.bat

Filesize
175B

MD5
57da3157e947de984063fc80fe3cf3b6

SHA1
19b85f9cf7a1961fa86d5bd8656db053254b7719

SHA256
9b4768e0f95795adcc13485ba777f1e23b38575d5bb25e5b39e9cf6ad136cf11

SHA512
d4dca63754bd6af1d6adaef370259e74fd12857adbe268b9725bb94c4c9f59b6c1f1e0d5071193665faf528e35dc23ef49079b69e58b6ed04b9d1ccf169ec357

Download Submit
C:\Users\Admin\AppData\Local\Temp\53484.exe

Filesize
379KB

MD5
df5055e47747cdefd2d0f63651172aa0

SHA1
e0c83a50cdb56cedd24306dd9b077ed6fbd3302e

SHA256
5913d865db67dc2fe7eb012cd6d42af5980582f144940271dc520fc37127d3c0

SHA512
3ff7096a8e10e77b90270e6e238815950aca97ec83f6f7fa97555af0b9ecbd8b6afe80c137afe136fbd0dd06223867b0d0d13e902c469887eff076754e64400c

Download Submit
memory/2712-0-0x0000000000020000-0x000000000015B000-memory.dmp

Filesize
1.2MB

Download
memory/2712-10-0x0000000000020000-0x000000000015B000-memory.dmp

Filesize
1.2MB

Download