pandastealer | 61e2c1dcd3566762891f7b6e950adf1fb35cc202803317569b3013d8b2462c3b

Analysis

max time kernel
96s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7fca2723541f168277d86e4d4dbaca86.exe
Size

629KB
MD5

7fca2723541f168277d86e4d4dbaca86
SHA1

087f33bbc7a33a97c8042a625f80a9237fd50933
SHA256

61e2c1dcd3566762891f7b6e950adf1fb35cc202803317569b3013d8b2462c3b
SHA512

a44a4f1ac2c3961f62d79ea2d9ec452e390a272b65ee2689137c735f28f9765e0c7128d1fca8c4a6414aec405848831e5e72929624cfa42d4062df3b67c635d1
SSDEEP

12288:aEkswmVz1UOr30CsPausH1zb4FQwWe3GbudJ:omVzSKsrsJb4Ww1

Score

10^/10

pandastealer discovery stealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023b6b-7.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7fca2723541f168277d86e4d4dbaca86.exe

Executes dropped EXE 2 IoCs

pid	Process
1868	netsv.exe
708	fixx_3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7fca2723541f168277d86e4d4dbaca86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fixx_3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1868	384	JaffaCakes118_7fca2723541f168277d86e4d4dbaca86.exe	82
PID 384 wrote to memory of 1868	384	JaffaCakes118_7fca2723541f168277d86e4d4dbaca86.exe	82
PID 384 wrote to memory of 1868	384	JaffaCakes118_7fca2723541f168277d86e4d4dbaca86.exe	82
PID 384 wrote to memory of 708	384	JaffaCakes118_7fca2723541f168277d86e4d4dbaca86.exe	83
PID 384 wrote to memory of 708	384	JaffaCakes118_7fca2723541f168277d86e4d4dbaca86.exe	83
PID 384 wrote to memory of 708	384	JaffaCakes118_7fca2723541f168277d86e4d4dbaca86.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7fca2723541f168277d86e4d4dbaca86.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7fca2723541f168277d86e4d4dbaca86.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Roaming\netsv.exe
  "C:\Users\Admin\AppData\Roaming\netsv.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1868
- C:\Users\Admin\AppData\Roaming\fixx_3.exe
  "C:\Users\Admin\AppData\Roaming\fixx_3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fixx_3.exe

Filesize
18KB

MD5
903a4949afbe2e02e3156d630d80c8af

SHA1
31996605500820c72cac2041b1ecb3adc92def21

SHA256
d13abdf5ecce427b2655fe516af839ae176523374c8c58596e7e86a9e84c664d

SHA512
e5b5aab14a2fb219cdc8015f947a03c38884771d678569232fb502cbc27c83b0ec33072de7511329f0c891cee40482108fc6572c9b30e6dfb2d9a85181d7e2a0

Download Submit
C:\Users\Admin\AppData\Roaming\netsv.exe

Filesize
550KB

MD5
f969cda25471ff53b294eea8bc0c69e4

SHA1
81507b61d4993ce94ff53c462456e517ebad6680

SHA256
8229fe11e45d294e00c4e58540d103326594032b3a5cd0a56dd006b067f02a7e

SHA512
6e837b081e13a9b397d6bc4580dc8cecdc511f59f1924f56e847c800d06cd4ee47f0fc5a665968cf8782463f61ad89770af876c0922f9f3623e1f849a187d01b

Download Submit
memory/384-0-0x0000000075292000-0x0000000075293000-memory.dmp

Filesize
4KB

Download
memory/384-1-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/384-2-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/384-22-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/708-24-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download
memory/708-25-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/708-26-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download