e6ff2232a84f551491ca4342b49a8cd260fa5615b26e4d54d0a5f7386adab162

General

Target

07159846b125cc2ed630965f08131b39_JaffaCakes118.exe
Size

181KB
MD5

07159846b125cc2ed630965f08131b39
SHA1

58f9daefda4768c33c04a5dfbf92abd877c05d31
SHA256

e6ff2232a84f551491ca4342b49a8cd260fa5615b26e4d54d0a5f7386adab162
SHA512

08acd83de2f18bd1a4ced8d46327f994ce743ea85cd05b68d68e25e3ef6dcd78e2e687626b7e55db1b4385d6614c056074ad4939eaaa46009b11ed42c4979a9e
SSDEEP

3072:oFU88rTSCEEkBmwOVYrPBlGRg9t7TbQxkfOGdI/SAuU:oF/8sx+6iRgPDfR6SAuU

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2100-1-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/3024-9-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/3024-7-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2100-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2360-82-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2360-80-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2100-198-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07159846b125cc2ed630965f08131b39_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07159846b125cc2ed630965f08131b39_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07159846b125cc2ed630965f08131b39_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 3024	2100	07159846b125cc2ed630965f08131b39_JaffaCakes118.exe	30
PID 2100 wrote to memory of 3024	2100	07159846b125cc2ed630965f08131b39_JaffaCakes118.exe	30
PID 2100 wrote to memory of 3024	2100	07159846b125cc2ed630965f08131b39_JaffaCakes118.exe	30
PID 2100 wrote to memory of 3024	2100	07159846b125cc2ed630965f08131b39_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2360	2100	07159846b125cc2ed630965f08131b39_JaffaCakes118.exe	33
PID 2100 wrote to memory of 2360	2100	07159846b125cc2ed630965f08131b39_JaffaCakes118.exe	33
PID 2100 wrote to memory of 2360	2100	07159846b125cc2ed630965f08131b39_JaffaCakes118.exe	33
PID 2100 wrote to memory of 2360	2100	07159846b125cc2ed630965f08131b39_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\07159846b125cc2ed630965f08131b39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07159846b125cc2ed630965f08131b39_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\07159846b125cc2ed630965f08131b39_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\07159846b125cc2ed630965f08131b39_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\07159846b125cc2ed630965f08131b39_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\07159846b125cc2ed630965f08131b39_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C7F7.796

Filesize
600B

MD5
65242bbe92ccea49f3b2297aec43265d

SHA1
84511ac129c385a900c82fee7758b21a83eecf4f

SHA256
5df4f440cee8c3e105112d45170810ff4ea63326935509c324c72b2bab0a789f

SHA512
0cb066c1dc6a3e9fd77eb4d21a6a7382e84cb3219688786d7557d5954ccba08e0e7f9c37f4c78471aa825e161ed77a0a278462a287eea63043b0f36523603bd1

Download Submit
C:\Users\Admin\AppData\Roaming\C7F7.796

Filesize
1KB

MD5
11004ddc68d3389f7cbc8a8f0b5c0add

SHA1
8fee645812154c3f2a1ce5c32e59b3eba57441d7

SHA256
2968b338d83c5abb01e777db2c95ac9f55a0b2b40558132b24e259f2b4471be0

SHA512
be6b45aa405f28465f9564983658e3ac238031962db870db78f85d8acaa9bdbdfbacdf5b2e64a9ed2654acc1ada8957d48cd9850557d9053c2d05f5f0149b91e

Download Submit
C:\Users\Admin\AppData\Roaming\C7F7.796

Filesize
996B

MD5
f90d7e91da413654216e88a311881553

SHA1
8e4756365da6639c0b7a3ba24efc950c68605657

SHA256
bb772d162759bb65b0f5bf75db090365229ba0a373e893d78a9e2ee3b4e3e460

SHA512
996b34986a460d76ba3bb893e7d4b17f8e5b71d9775754605a2f30414e9526c79d69404a1f54925cb36d49332cedb837e722e1141b9513cce2d40f2c1e9419b9

Download Submit
memory/2100-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2100-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2100-198-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2360-79-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2360-82-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2360-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3024-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3024-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing