76e2f74641517e32e67f570cefd881b18ece5d5dcce54200852b8e42e5d2c838

General

Target

2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe
Size

159KB
MD5

2f7cb5b75c57003012d67acd4b4325a5
SHA1

38cfda9c64976e0e1f952cd1b31826c011682444
SHA256

76e2f74641517e32e67f570cefd881b18ece5d5dcce54200852b8e42e5d2c838
SHA512

8c8de442d4daf70ba730efdec50585b2fd4c19be56a5f6234829566a7f3911e852e4eef16a99617d1086abfdf1867133979c6a7de69f8661b2324044447d42a9
SSDEEP

3072:VbN0QyIB89HXM01K7XlvvR57hmpd6YPFZmQ4O1xyJEtIp+jP4ncE:BN0QfSRXPQX7hmpdNNssME6p0P4n

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2404-1-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1864-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1864-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2404-14-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2784-81-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2404-184-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1864	2404	2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe	28
PID 2404 wrote to memory of 1864	2404	2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe	28
PID 2404 wrote to memory of 1864	2404	2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe	28
PID 2404 wrote to memory of 1864	2404	2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe	28
PID 2404 wrote to memory of 2784	2404	2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2784	2404	2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2784	2404	2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2784	2404	2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2f7cb5b75c57003012d67acd4b4325a5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A3F1.03E

Filesize
1KB

MD5
84ca51c9091ff69c9eef4ee9bd94a37b

SHA1
b2bb1d987bc22b9a15a1de9867ace564149f2ec2

SHA256
8ce77c647fdc6f8cddfe1378102a3ac9a0fb895a79dcdf33e2bf5bc3d0943a7c

SHA512
cc66c4a0305782720d7bfd266b41c551892d8e5e12a752a2504b7b3d7c0b81425f74b4d934eb748936b09d6ac3df1ade03ca77b52f356793f46b719d5ed860b3

Download Submit
C:\Users\Admin\AppData\Roaming\A3F1.03E

Filesize
600B

MD5
2b2bccf29ae676b6237d55c9e2e8a4ea

SHA1
1027558b3e2c53009d70836ecf01d8168a223c61

SHA256
afdd6f8dd3f5cedf6ecf494c170e762d948984153fd3219e02f85353cda016fa

SHA512
c6665217482a863114f87bb2d5889c4a1993da036c7e7167379dc1c99a9cdee4157ae79d9bb785a1684d2c1ad395705f2f590ccd90e3240039fa576323c53f89

Download Submit
C:\Users\Admin\AppData\Roaming\A3F1.03E

Filesize
996B

MD5
4f91e7b36a791f7e3f73fe7164db7f7a

SHA1
516ebc811bb080926c6dc4aca46bb2a036112ac8

SHA256
5137b7d41ab403d52b7498fdaf6eb8d0f7fd9f112259dfc4dc3ac86f09e32424

SHA512
42fbd93697ecd1cdb7e6e32901ee26b9bec0e154b1db2df589acaff153db256788b6d6226624d5dc178cb9c697f040fc3ed8bfada07edad9ba4f55045166e542

Download Submit
memory/1864-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1864-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1864-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2404-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2404-14-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2404-184-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2784-81-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing