pandastealer | 7a97516b3a8eff94b12dbaa5538373921f076b13ac3865d3299749a701510db6

General

Target

ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe
Size

3.4MB
MD5

ffc21cddf522b1800d41b4a41da2c24e
SHA1

bdcbe7b199cb8531b2262c37d3e535ffc5aa72e7
SHA256

7a97516b3a8eff94b12dbaa5538373921f076b13ac3865d3299749a701510db6
SHA512

9479f902ee5a70bc76a44e418a9a012024ba88dcc8f7b02acdb414f61516bfe0e5c41c2f52f591b8d201612b26021d853a68261eeb6c072dcb969d270e7b5079
SSDEEP

98304:oTLr/vwnSlGuICx42P2ivKIrZzOMIobLCWe0M+v/1:o3rGcGskinrZ9CQX

Score

10^/10

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015fba-16.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Executes dropped EXE 1 IoCs

pid	Process
2364	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
2388	ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe
2388	ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe
2388	ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2184	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2184	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2184	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2184	msiexec.exe
Token: SeRestorePrivilege	2924	msiexec.exe
Token: SeTakeOwnershipPrivilege	2924	msiexec.exe
Token: SeSecurityPrivilege	2924	msiexec.exe
Token: SeCreateTokenPrivilege	2184	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2184	msiexec.exe
Token: SeLockMemoryPrivilege	2184	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2184	msiexec.exe
Token: SeMachineAccountPrivilege	2184	msiexec.exe
Token: SeTcbPrivilege	2184	msiexec.exe
Token: SeSecurityPrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe
Token: SeLoadDriverPrivilege	2184	msiexec.exe
Token: SeSystemProfilePrivilege	2184	msiexec.exe
Token: SeSystemtimePrivilege	2184	msiexec.exe
Token: SeProfSingleProcessPrivilege	2184	msiexec.exe
Token: SeIncBasePriorityPrivilege	2184	msiexec.exe
Token: SeCreatePagefilePrivilege	2184	msiexec.exe
Token: SeCreatePermanentPrivilege	2184	msiexec.exe
Token: SeBackupPrivilege	2184	msiexec.exe
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeShutdownPrivilege	2184	msiexec.exe
Token: SeDebugPrivilege	2184	msiexec.exe
Token: SeAuditPrivilege	2184	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2184	msiexec.exe
Token: SeChangeNotifyPrivilege	2184	msiexec.exe
Token: SeRemoteShutdownPrivilege	2184	msiexec.exe
Token: SeUndockPrivilege	2184	msiexec.exe
Token: SeSyncAgentPrivilege	2184	msiexec.exe
Token: SeEnableDelegationPrivilege	2184	msiexec.exe
Token: SeManageVolumePrivilege	2184	msiexec.exe
Token: SeImpersonatePrivilege	2184	msiexec.exe
Token: SeCreateGlobalPrivilege	2184	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2184	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2364	2388	ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2184	2364	setup.exe	31
PID 2364 wrote to memory of 2184	2364	setup.exe	31
PID 2364 wrote to memory of 2184	2364	setup.exe	31
PID 2364 wrote to memory of 2184	2364	setup.exe	31
PID 2364 wrote to memory of 2184	2364	setup.exe	31
PID 2364 wrote to memory of 2184	2364	setup.exe	31
PID 2364 wrote to memory of 2184	2364	setup.exe	31

C:\Users\Admin\AppData\Local\Temp\ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\7zSAE68.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSAE68.tmp\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\msiexec.exe
    "msiexec" /i "C:\Program Files (x86)\Downloaded Installers\{48635C47-1EC6-4098-84D0-6BFA7D0FA2F5}\setup.msi"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2184

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSAE68.tmp\setup.msi

Filesize
37.9MB

MD5
828a74f2ccb3696812c6611e4cc7dc72

SHA1
a1bab8481bde5d3cdd7d9e0f79f60b6117e2cd39

SHA256
5547b0adb8ecded3f22caf89e20aecc5672fc99312e98f360857613388eb9c67

SHA512
a13297141dcb0b08f218aa39ba9759177b46c99038f4894fa3e73abd9fd6583d135656accf43a2e5beb69325d4e363e05f5e7bb7e74d5c70c4d63a77a8ea44c0

Download Submit
\Users\Admin\AppData\Local\Temp\7zSAE68.tmp\setup.exe

Filesize
73KB

MD5
2a50c768bac9bdf52a17e76a460f773f

SHA1
16cb647bb958accc08f234d9ee863129e3523ff2

SHA256
96482c24aaafb06bfa1088c1229ab63f894b85bef6e59ebcf3f58ac09adcc4db

SHA512
94e9cb872ba9c8f9d1560d82edeab049f4201a0604fbd19f007b63878f9e34e3d5225fb1a6eeee01e1c1b613ea152cf5efcfd24528b917c08296093d2c6e6b17

Download Submit

Analysis

Sharing