d4db4d19b594aee5ea32d485fd85b8aedd2aef5732804308b32129a51e28f324

General

Target

f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe
Size

145KB
MD5

f63f6b029aeace284d09a67b3a53a698
SHA1

befed0a008ae0b3d8cd48a91520f6ff9a03c6aaf
SHA256

d4db4d19b594aee5ea32d485fd85b8aedd2aef5732804308b32129a51e28f324
SHA512

ec64e2c2617f9bff6e9d7968927b388d5b3b356d6966c7df1a11c3b70520f6780d5ec97c600911dcc6eb3ff74b87e31caea8c5affd60a0352e2783162849e5d1
SSDEEP

3072:3ViATZgSL5ZllFpe7ITbsQIJzabJbHTwEs6mT9qVDkEmjxtG6f2Siv77Kxgn:liSLvDyUvZRlbHM+mhEWjxtG22SivJ

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/488-2-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2164-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2164-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2164-8-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/488-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2548-72-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2548-73-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/488-153-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 2164	488	f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe	29
PID 488 wrote to memory of 2164	488	f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe	29
PID 488 wrote to memory of 2164	488	f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe	29
PID 488 wrote to memory of 2164	488	f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe	29
PID 488 wrote to memory of 2548	488	f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe	31
PID 488 wrote to memory of 2548	488	f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe	31
PID 488 wrote to memory of 2548	488	f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe	31
PID 488 wrote to memory of 2548	488	f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:488
- C:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C2E9.609

Filesize
1KB

MD5
929474e376b43ab3c9f589d7ec9aebab

SHA1
47a2e388b96417ee80989b392f4d49a3fd99000c

SHA256
ba9de66a0780627d7ec72be65c476a3e2c11397a1b4e2a648de9e477ff7f9fe8

SHA512
4d0e3288b3b8e6b941f3a5d4dcecb99c832424f763ba23f5ec651a075a48e5e8f4c3f6fed6083f3eacb32e275ccc42d262d3bb7fe7eca05c550739a207070e38

Download Submit
C:\Users\Admin\AppData\Roaming\C2E9.609

Filesize
300B

MD5
21240f6152110900314c05a690d537b6

SHA1
9c4677427d796a69df9d9cc85d2a56ac135462fc

SHA256
e5f41164f8db653973869f1d972988343088f0a6d90d55d6f6da96e9b024d6da

SHA512
4df22dd988c00704ea17ca81cd1ff6bf8348a36d4867815fdfa37d2714df0f9d336741af8b9b7a2be258c9387729d4582eabbbbd96e96ebde6c0d8f795eeb38d

Download Submit
C:\Users\Admin\AppData\Roaming\C2E9.609

Filesize
696B

MD5
f3aa41ed94471b08c51e202de284078a

SHA1
ddcb5cca0a40b38fbd0c63cc4114a48a2a65b8a8

SHA256
cb815cc7dcdeb4bea34bbb32b4d928c730745be883d2ef2cd226a878c79d44a7

SHA512
2bb42d4849e0e667e4db4db99b30694a264b36f7aa46dd85c20c60ed110cef68a08c12758e3450cec583bb659c6988ab040572ec2cdeda23ebb1652266f410cd

Download Submit
memory/488-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/488-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/488-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/488-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2164-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2164-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2164-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing