ca663e2ca1a559fc0e7ff70e556c0671261fe5fae121218dd7ec589f487ba689

General

Target

469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe
Size

208KB
MD5

469630bf5fd02581a63566331aebabb7
SHA1

b0885a2cf85938c32817c3207e43cd43cdc5b002
SHA256

ca663e2ca1a559fc0e7ff70e556c0671261fe5fae121218dd7ec589f487ba689
SHA512

2a0a4faf02623144fef614fdb35a3fa1899ea7aa97511c765dc915da97b8774f48788fd4aab789d834c70a88b817a281e1006b1d8ab649435b628ed06667fa07
SSDEEP

6144:ZFxM8I2kTd8Gxmi2grvQbEiEY8yqQcMPeD:RMj2+8TwiE16E

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-2-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2112-5-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2112-6-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2204-15-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1068-92-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1068-93-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2204-196-0x0000000000400000-0x000000000044D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2112	2204	469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2112	2204	469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2112	2204	469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2112	2204	469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe	30
PID 2204 wrote to memory of 1068	2204	469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe	32
PID 2204 wrote to memory of 1068	2204	469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe	32
PID 2204 wrote to memory of 1068	2204	469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe	32
PID 2204 wrote to memory of 1068	2204	469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\469630bf5fd02581a63566331aebabb7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0A5A.096

Filesize
1KB

MD5
06e1c873a26d664a8fdffd4b2d897c11

SHA1
d76ba5caef1d5b16afdd676094f03f6e74369353

SHA256
8a10df7ed3739ea47dd1e7a2bad02967c11536b111796350ac18159f0f457a43

SHA512
a936ca682c85ad7f12d2f83e91fca72e9575d067a611583a6175f6c4455054c98c38fb4a8a9c30fdfbeefb2d31c5d3a5980034b19d318ad25854179c7e8cedca

Download Submit
C:\Users\Admin\AppData\Roaming\0A5A.096

Filesize
1KB

MD5
39227b46a6ba0f238590e05c42ab0701

SHA1
ba5ffa6c030e63f634e9624ad9e7543b9ed36359

SHA256
65f5f173a6404bfdb202a9821302811341401ff5a7badafd1817e986817eb369

SHA512
67f00e78b1b59c154dd79dc3d7b68730759835c9fd054f21f8b74ed164da775c8ea8187b2e8113c01d04d3a555a70c7d4972ad8ac04f794551e7bd2218182318

Download Submit
C:\Users\Admin\AppData\Roaming\0A5A.096

Filesize
600B

MD5
e8c0b3d74c2f4a6ccb61e1daac2bdcfc

SHA1
a91ff7f4df2d0bab67de640d6b3c520177716d28

SHA256
1d051600c50896a3614baa11559646a7a9a24d70d9bf5799e8a2e362742eda5a

SHA512
8289fee4c92e1557ca527742e404a7ba30aaa654abea3298d90563fa3a2fa8be496247147e267ce950f36c70b2ae2e9dad69274e30b5a622692682f3e03815a5

Download Submit
C:\Users\Admin\AppData\Roaming\0A5A.096

Filesize
1KB

MD5
e8e6fc414e8e62e4429a1890cecf923f

SHA1
06e47e6d90d986febb88580eed001592a0fc29f4

SHA256
02b1ed50ec177b67dc477c3da6f91da27ddbc258c969849a4b396c0b11018aad

SHA512
a16ae4b7a4c96ca4894c7636cf66b754ec330a4392ae66c131604899f8854dab2c551493a95a7a525e388254d0e342c20bd1665a1e9c2c1f2ada99add88a0dcf

Download Submit
memory/1068-92-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1068-93-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2112-5-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2112-6-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2204-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2204-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2204-15-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2204-196-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing