d2c98beb3871d9b2712f57658a83f02672b8f17073c16ba42f357fd3018fb356

General

Target

02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe
Size

186KB
MD5

02e1ed70586b3b78ae3ea693cfb7cf81
SHA1

c6c616fa72bde5966221ed019229c8d940b5e775
SHA256

d2c98beb3871d9b2712f57658a83f02672b8f17073c16ba42f357fd3018fb356
SHA512

199e940831c17071beb3ddbf4a36a13d51a3843c07cd4ca5a0453c24a20b3bd61c47f33a9f07397757c3b9b820d83ac74d45c4e903a91bb3783ad059fd082fc6
SSDEEP

3072:vp2WaGMt0vyWerC9Bz6yEx3vqfdfHQGWkyC0IMBgqFgV4Mam221evY:v4KMUyCh6yW3ydfHQLkuIYFgV4sh1

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1756-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2800-5-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2800-7-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1756-10-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2328-74-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2328-75-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1756-159-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2800	1756	02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2800	1756	02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2800	1756	02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2800	1756	02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2328	1756	02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2328	1756	02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2328	1756	02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2328	1756	02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\02e1ed70586b3b78ae3ea693cfb7cf81_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\830C.03D

Filesize
1KB

MD5
dc3aa9bff1d4ecff59790bf5bf75f722

SHA1
a4ee6c8978dc9b902e0b6fae63c13c2cf31ab132

SHA256
78f0706388b78afed6f7cf7b2cf24e304258a61c977e8bb99cbdbd09f3bb06ab

SHA512
fe2f63859e15790be43494de716fa22934ad1954aa0d27cc35a581905b8f841d882037b792393da58463558de6e7c6da73289346c746ec5a1617424a45c70031

Download Submit
C:\Users\Admin\AppData\Roaming\830C.03D

Filesize
300B

MD5
28de31d63c65302807a8eeaebfdd1abf

SHA1
70b97fccd052f08703504ec9788822b5796972e8

SHA256
5a87bbb1ea5ad8165a2df08e4f2a2a2d8700c1abb3e35a52a7d1205ad82ec33c

SHA512
3e75a91e8610b3747e91260b7d7aab56df1205b9a0885302ed8c5e0d659e177ce255a03d8dfdb8935d44f332c5206e79a8878ecc0549a1a302178d861533f0a1

Download Submit
C:\Users\Admin\AppData\Roaming\830C.03D

Filesize
696B

MD5
fb2bf5497d5961aed999894b97b358a5

SHA1
c22fa46f1c1486871783f3d23167c04700244572

SHA256
b8febd49893e8fa00bceef5d8a295edad342926cc7593545b8b0e4ad05f0bdc9

SHA512
67829ba54244a348d978746234716abe2417981818454443a39f1a3698cc62e1ba32d6cc2fc209b8eea1c16c09f084406a68055b3435e2f1f9a163a044e9eb67

Download Submit
memory/1756-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1756-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1756-10-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1756-159-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2328-74-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2328-75-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2800-5-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2800-7-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing