socelars | e14f4ccdd8da390ab4170e041b4654e51b229b6d925b6366596ec3fc1365d860

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Size

1.4MB
MD5

453b1f8024eb2cae23617bf7b1721a7c
SHA1

5fb3e994d80f67e9ccbf1548a1d989872de6b7b3
SHA256

e14f4ccdd8da390ab4170e041b4654e51b229b6d925b6366596ec3fc1365d860
SHA512

360ba38afffd21bc263f87c3e5a660cbf041c00087431767e75707be091739ed5b49eca252b63161b2a2f04a37ead7fac5a4258c7939750e2a9ce6b04b1c0420
SSDEEP

24576:TIVFA1pqtg/TnMbX0lwyh0FVmEByA1swFYyOsdwsuQOSIt21QbYfS0IP:CFA1pvTMbOwa0TmUqMYEOFQOSIsQbY6J

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
8	iplogger.org
7	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.execmd.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2504	taskkill.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exetaskkill.exe

description	pid	Process
Token: SeCreateTokenPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeTcbPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeSecurityPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeBackupPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeShutdownPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeDebugPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeAuditPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeUndockPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: 31	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: 32	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: 33	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: 34	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: 35	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
Token: SeDebugPrivilege	2504	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.execmd.exe

description	pid	Process	procid_target
PID 2812 wrote to memory of 2560	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2560	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2560	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2560	2812	453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2504	2560	cmd.exe	33
PID 2560 wrote to memory of 2504	2560	cmd.exe	33
PID 2560 wrote to memory of 2504	2560	cmd.exe	33
PID 2560 wrote to memory of 2504	2560	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\453b1f8024eb2cae23617bf7b1721a7c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2504