a062eda79e58ba1908f063c7916514cc7bc54d1fe232d54830393fdfe2c8ab14

Analysis

max time kernel
140s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434065b3843230d2435d9097b5fb0e1d_JaffaCakes118.exe
Size

379KB
MD5

434065b3843230d2435d9097b5fb0e1d
SHA1

6de32d193ed5f77b4f5059d3d10f867b361ac7be
SHA256

a062eda79e58ba1908f063c7916514cc7bc54d1fe232d54830393fdfe2c8ab14
SHA512

277e8219373406ebf1403e5e010f679c0a8065077b764eb56cb1a608280e94ab32180896b87163e5a9237c947b0c290261296d4fdd57c4052938d33f6f4d4045
SSDEEP

6144:U+qn/00gA1pJzXsWuTHgU9xGJRKeOGDykNwS1F8kqslg92YAoS0LE8:is03z8tgkGJRxpw4osO2JoS0LE8

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5052-0-0x0000000000E90000-0x0000000000FCB000-memory.dmp	upx
behavioral2/memory/5052-5-0x0000000000E90000-0x0000000000FCB000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-7.dat	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	434065b3843230d2435d9097b5fb0e1d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1912	5052	434065b3843230d2435d9097b5fb0e1d_JaffaCakes118.exe	93
PID 5052 wrote to memory of 1912	5052	434065b3843230d2435d9097b5fb0e1d_JaffaCakes118.exe	93
PID 5052 wrote to memory of 1912	5052	434065b3843230d2435d9097b5fb0e1d_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\434065b3843230d2435d9097b5fb0e1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\434065b3843230d2435d9097b5fb0e1d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\62.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62.bat

Filesize
174B

MD5
d9484d314d5d6834ab08413e1f43ae83

SHA1
87eb82a9d762d128301e0beeeb349767988c2277

SHA256
768108e6e702bf298774675913c0df20e25117d6135b79264ba7cbb63285dc1a

SHA512
07720ff60ee628fa12aba432384c7344dc02a3c4faa218832902ecda832a97efd07e4dcb17b284be945ab493dfc6c793ac0e7303f8c5e29f974ec28711e49761

Download Submit
C:\Users\Admin\AppData\Local\Temp\63485.exe

Filesize
379KB

MD5
434065b3843230d2435d9097b5fb0e1d

SHA1
6de32d193ed5f77b4f5059d3d10f867b361ac7be

SHA256
a062eda79e58ba1908f063c7916514cc7bc54d1fe232d54830393fdfe2c8ab14

SHA512
277e8219373406ebf1403e5e010f679c0a8065077b764eb56cb1a608280e94ab32180896b87163e5a9237c947b0c290261296d4fdd57c4052938d33f6f4d4045

Download Submit
memory/5052-0-0x0000000000E90000-0x0000000000FCB000-memory.dmp

Filesize
1.2MB

Download
memory/5052-5-0x0000000000E90000-0x0000000000FCB000-memory.dmp

Filesize
1.2MB

Download