laplas | 5a428ad80b5e9a5204b238dca8617696d2d4efbdc07366d5c897405b24782689

Analysis

max time kernel
126s
max time network
175s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5a428ad80b5e9a5204b238dca8617696d2d4efbdc07366d5c897405b24782689.exe
Size

688.3MB
MD5

c074776efe5f5e01133668620cd4bd4a
SHA1

8bba29b1e9967e1462678d3b9c1b0dd9e4ff5769
SHA256

5a428ad80b5e9a5204b238dca8617696d2d4efbdc07366d5c897405b24782689
SHA512

2c53101f3351c52ee503f58793ae09f77459f34316c66767d88fe156f677eeb0fd82e1410ef4b9a9f4e974b1240d21ada4810619b232a44bc15bb0095b85c454
SSDEEP

12582912:1BfUe4f+Di3T5/E/sqc6P2dEPXXopPsGv7jVyntuJ6Hp0pOE:16e4TNE/sHEfXouS7jYtHLE

Score

10^/10

laplas clipper discovery stealer vmprotect

Malware Config

Extracted

Family

laplas

45.159.189.105

Attributes

api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Laplas family
laplas

Executes dropped EXE 1 IoCs

pid	Process
1744	dFpyYTIgnO.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2596-1-0x00000000010D0000-0x0000000001AE7000-memory.dmp	vmprotect
behavioral1/memory/1744-8-0x0000000001220000-0x0000000001C37000-memory.dmp	vmprotect

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5a428ad80b5e9a5204b238dca8617696d2d4efbdc07366d5c897405b24782689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dFpyYTIgnO.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 640	2596	JaffaCakes118_5a428ad80b5e9a5204b238dca8617696d2d4efbdc07366d5c897405b24782689.exe	29
PID 2596 wrote to memory of 640	2596	JaffaCakes118_5a428ad80b5e9a5204b238dca8617696d2d4efbdc07366d5c897405b24782689.exe	29
PID 2596 wrote to memory of 640	2596	JaffaCakes118_5a428ad80b5e9a5204b238dca8617696d2d4efbdc07366d5c897405b24782689.exe	29
PID 2596 wrote to memory of 640	2596	JaffaCakes118_5a428ad80b5e9a5204b238dca8617696d2d4efbdc07366d5c897405b24782689.exe	29
PID 640 wrote to memory of 2852	640	cmd.exe	31
PID 640 wrote to memory of 2852	640	cmd.exe	31
PID 640 wrote to memory of 2852	640	cmd.exe	31
PID 640 wrote to memory of 2852	640	cmd.exe	31
PID 2604 wrote to memory of 1744	2604	taskeng.exe	33
PID 2604 wrote to memory of 1744	2604	taskeng.exe	33
PID 2604 wrote to memory of 1744	2604	taskeng.exe	33
PID 2604 wrote to memory of 1744	2604	taskeng.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a428ad80b5e9a5204b238dca8617696d2d4efbdc07366d5c897405b24782689.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a428ad80b5e9a5204b238dca8617696d2d4efbdc07366d5c897405b24782689.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C schtasks /create /tn tasibxGgUe /tr C:\Users\Admin\AppData\Roaming\tasibxGgUe\dFpyYTIgnO.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn tasibxGgUe /tr C:\Users\Admin\AppData\Roaming\tasibxGgUe\dFpyYTIgnO.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2852

C:\Windows\system32\taskeng.exe
taskeng.exe {23EECD5F-7718-438B-ACBB-3855D0CE4109} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Roaming\tasibxGgUe\dFpyYTIgnO.exe
  C:\Users\Admin\AppData\Roaming\tasibxGgUe\dFpyYTIgnO.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-8-0x0000000001220000-0x0000000001C37000-memory.dmp

Filesize
10.1MB

Download
memory/2596-1-0x00000000010D0000-0x0000000001AE7000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads