d26af9d7d3002638d93235a68328d47267127c49befd85b05876a5ee0eb8aa88

General

Target

fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe
Size

190KB
MD5

fa8e8454f8286a66bcfc42509838cb20
SHA1

6a21c86e729623da7efcf2d0ba6ed316903e04ed
SHA256

d26af9d7d3002638d93235a68328d47267127c49befd85b05876a5ee0eb8aa88
SHA512

855cefdfd4464ed91dd70a137be065c01545eb9192c1c4bfba6586fad792cd2eabe37644f45fbdd79712b5bcf8780731e2549e3ecc7c0368edff2845389ea97f
SSDEEP

3072:n2eK706GFcVZDP4VHVW4ILINvXT2fxcH8r7S1DYht2mx7LNLztdsTY0TF9:2nnGFcVZb0HQ4Lb8xq8rmqYmx9LziX

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2160-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2276-17-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2276-18-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2160-19-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/864-92-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2160-201-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2276	2160	fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2276	2160	fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2276	2160	fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2276	2160	fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe	30
PID 2160 wrote to memory of 864	2160	fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe	33
PID 2160 wrote to memory of 864	2160	fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe	33
PID 2160 wrote to memory of 864	2160	fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe	33
PID 2160 wrote to memory of 864	2160	fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fa8e8454f8286a66bcfc42509838cb20_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5655.D57

Filesize
597B

MD5
6c40397c1b44be17e5b120a48bea8a8c

SHA1
b628dc1ce708a4fa0fd942a9b2dcc16c99b7d728

SHA256
605b1bc93e6edfa8455ebcb9d87eeafc8b49509e0c52561bed722d112f3eda57

SHA512
938961615edf296e82959e461936b65b97fcb0f597cbc96f1c24359755f5514313488bb1c1380486c7c34018f18be780917e22053e403b91509505496d89caf7

Download Submit
C:\Users\Admin\AppData\Roaming\5655.D57

Filesize
1KB

MD5
4ea16dd716e7a91cdec3296f11bab7f2

SHA1
8736b0b579b969d5b6f67fbee1df7dc4c2b69667

SHA256
30883c263803f0c5af292e661fd6a9e32e476fbcc24f4c371d7dc2e72326d8c8

SHA512
8fc5dce27b5505c6574cb20483690b3331d72f3dae5e856a56a6f16bcc557d44eeb1360798ef7cbedc3c4eaaa32e1d77cab52a1b55772fd0a852d4641b286b67

Download Submit
C:\Users\Admin\AppData\Roaming\5655.D57

Filesize
897B

MD5
1e2fecc7b5962ed625613c217918cdc7

SHA1
6a3db66cfdd757a6dd1fcbffdd550753e57d1db8

SHA256
3d636b7a7cc59b8a8babc146f0566b58eab1bec29ee73c4aee02c66c04796b4c

SHA512
d262dafb371aaf335bbe02867a9a9416691ec8fd02bf0697e616aa5ef6b3274801ad401c1c90a4e2c0b35ca675df4f149fd42c0de7e4a27cd437378bcd8e7000

Download Submit
C:\Users\Admin\AppData\Roaming\5655.D57

Filesize
1KB

MD5
2e58b18a38f9573b9dcb7def8cc287ae

SHA1
2965315cfbcc67959a32adfed0bd55056ed7882f

SHA256
19a62001ee1ce27f9cf4d304cc84796fd593f7890647bb5f507ddc02eb06d925

SHA512
922102c213b6ee4983f5061a898d85cf610144de299af6725b6df1fd32f77d6ae4114702bb798465320c4fe67202b0dbc3a1ef165384b8c20a0c53ae713064fc

Download Submit
memory/864-92-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2160-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2160-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2160-19-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2160-201-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2276-17-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2276-18-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing