b0ed78cf39369eeaa1ac921aa7614ade1e8af900dbbac04eaf3c90877766b7a3

General

Target

0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe
Size

189KB
MD5

0840f5617e9b027b65096e69203ae9ff
SHA1

7c720ae78d61d2f1d78c957fa07265b94617d4da
SHA256

b0ed78cf39369eeaa1ac921aa7614ade1e8af900dbbac04eaf3c90877766b7a3
SHA512

2c3ba7071245e7659ecf9af0360115c6803a6edcfd336df18203da74887e11df3579595e30d4172f67324e500b0eb4e7b3c29746432f9fb68ee75a10b440c070
SSDEEP

3072:aHjaWs4dFS8rUtmITlBb3tWTUrywket9xaymdRqS/otR2vujyOn/YcIo5:ro1rU5l/jkeXxmbeR4uF/NI

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2156-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2524-17-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2524-18-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2156-19-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2156-20-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2008-88-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2008-89-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2156-164-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2524	2156	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2524	2156	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2524	2156	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2524	2156	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2008	2156	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	33
PID 2156 wrote to memory of 2008	2156	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	33
PID 2156 wrote to memory of 2008	2156	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	33
PID 2156 wrote to memory of 2008	2156	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe startC:\Program Files (x86)\LP\D3AE\4C0.exe%C:\Program Files (x86)\LP\D3AE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\E2ACE\A7ED3.exe%C:\Users\Admin\AppData\Roaming\E2ACE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E2ACE\E89E.2AC

Filesize
1KB

MD5
a35b3067dda762503712b213f10be6cd

SHA1
08392e17ea93e8278e2fea746a901803b8f36b1d

SHA256
7fb245cf8d312124d2bfbe1764b631830573ed84eab7bfa1062aa60742515e11

SHA512
e6fe6e9cdae7ec8319c8b3229c14384f8dd5ef62f3c0f037ea61fddf064253b1d5ac3c16a72aa95ab3996a1fb5cfa20e224f3224e52caf9750b3e49d4b5b9c83

Download Submit
C:\Users\Admin\AppData\Roaming\E2ACE\E89E.2AC

Filesize
897B

MD5
f319ea90bf6de9ac9dfa37acb6864618

SHA1
bacf9aa93877879157e00bb632272ad03749fde9

SHA256
99c1733e16ac82fb7ffa2aec5014b2900333dafb01c360431402d760e3455f52

SHA512
f08489edf608d68ebb454718f49dc5534561ea45bab1c71e1bbf67d4e9d08e38638ddc71acc5e0616c4a76d1b5200c72e7482da794873abefc76f040bd939618

Download Submit
C:\Users\Admin\AppData\Roaming\E2ACE\E89E.2AC

Filesize
597B

MD5
c3eba31463c5acd81258725e62b1cced

SHA1
008f488db5da18d98e3ef6f0c8c15a653254f3ab

SHA256
442058abd491ad9f8c6abb0431e12dedaccc7e28e1d530c2ae56d0f153d943bd

SHA512
9ddc8f2a63424ea4dfbc11a97f8cda7a635b8f80e68a74bb70f1f2fe708836590420439678ed4978feae5392227ad010e55411b7571dda7234e7f6d896cd9349

Download Submit
C:\Users\Admin\AppData\Roaming\E2ACE\E89E.2AC

Filesize
1KB

MD5
8699887314af88aa05fd445222971d2a

SHA1
6ca1e7ebcc1bbb97a65b0c43f1bf6fc72dde8699

SHA256
64411908ed5e52d2c662a561a70d5b4018c7b2d0b146482da32ff4a68c46c2aa

SHA512
e00c3a7d040c83af9546c574935a205432be0e018af49f324b096d50ff20baaf82903f7ce305e4f783182fde1ee7b57890217f7a8ff597abbd33378c30e2853d

Download Submit
memory/2008-89-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2008-87-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2008-88-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2156-19-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2156-20-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2156-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2156-164-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2156-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2524-18-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2524-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2524-17-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing