pandastealer | 8e23c0b1b1617d8438f11ef20a94d0b24216e1abedb4d0d6757281d0a34e9df5

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d6ad64734986199bbf6d312318bd21cb.exe
Size

2.6MB
MD5

d6ad64734986199bbf6d312318bd21cb
SHA1

c9776e8c79d1cc7bc1c39856213f6fb9d42be4c6
SHA256

8e23c0b1b1617d8438f11ef20a94d0b24216e1abedb4d0d6757281d0a34e9df5
SHA512

b64b58719da36c0c62ba7951a291c3e49bdfef4939db4f1f275e6ae18d6c2512d97944aec6ac62c02c13a5bb6544c3a552d401f97fdc4dda5b828bf3a006033d
SSDEEP

49152:95+hFmN/iiWqwFcIWqR2/QMlCJEV4SS+WENZTNalxiz8lVHTIioOFZQ+f:95aFmN/4qwFcL/5lqEGSSLEN/alxiqZD

Score

10^/10

pandastealer discovery spyware stealer

Malware Config

Extracted

Family

pandastealer

Version

1.11

http://f0551292.xsph.ru

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019261-61.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Executes dropped EXE 7 IoCs

pid	Process
536	7z.exe
2588	7z.exe
2356	7z.exe
604	7z.exe
588	7z.exe
2944	7z.exe
2360	build.exe

Loads dropped DLL 12 IoCs

pid	Process
2600	cmd.exe
536	7z.exe
2600	cmd.exe
2588	7z.exe
2600	cmd.exe
2356	7z.exe
2600	cmd.exe
604	7z.exe
2600	cmd.exe
588	7z.exe
2600	cmd.exe
2944	7z.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d6ad64734986199bbf6d312318bd21cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2360	build.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2360	build.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeRestorePrivilege	536	7z.exe
Token: 35	536	7z.exe
Token: SeSecurityPrivilege	536	7z.exe
Token: SeSecurityPrivilege	536	7z.exe
Token: SeRestorePrivilege	2588	7z.exe
Token: 35	2588	7z.exe
Token: SeSecurityPrivilege	2588	7z.exe
Token: SeSecurityPrivilege	2588	7z.exe
Token: SeRestorePrivilege	2356	7z.exe
Token: 35	2356	7z.exe
Token: SeSecurityPrivilege	2356	7z.exe
Token: SeSecurityPrivilege	2356	7z.exe
Token: SeRestorePrivilege	604	7z.exe
Token: 35	604	7z.exe
Token: SeSecurityPrivilege	604	7z.exe
Token: SeSecurityPrivilege	604	7z.exe
Token: SeRestorePrivilege	588	7z.exe
Token: 35	588	7z.exe
Token: SeSecurityPrivilege	588	7z.exe
Token: SeSecurityPrivilege	588	7z.exe
Token: SeRestorePrivilege	2944	7z.exe
Token: 35	2944	7z.exe
Token: SeSecurityPrivilege	2944	7z.exe
Token: SeSecurityPrivilege	2944	7z.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2600	2876	JaffaCakes118_d6ad64734986199bbf6d312318bd21cb.exe	30
PID 2876 wrote to memory of 2600	2876	JaffaCakes118_d6ad64734986199bbf6d312318bd21cb.exe	30
PID 2876 wrote to memory of 2600	2876	JaffaCakes118_d6ad64734986199bbf6d312318bd21cb.exe	30
PID 2876 wrote to memory of 2600	2876	JaffaCakes118_d6ad64734986199bbf6d312318bd21cb.exe	30
PID 2600 wrote to memory of 2796	2600	cmd.exe	32
PID 2600 wrote to memory of 2796	2600	cmd.exe	32
PID 2600 wrote to memory of 2796	2600	cmd.exe	32
PID 2600 wrote to memory of 536	2600	cmd.exe	33
PID 2600 wrote to memory of 536	2600	cmd.exe	33
PID 2600 wrote to memory of 536	2600	cmd.exe	33
PID 2600 wrote to memory of 2588	2600	cmd.exe	34
PID 2600 wrote to memory of 2588	2600	cmd.exe	34
PID 2600 wrote to memory of 2588	2600	cmd.exe	34
PID 2600 wrote to memory of 2356	2600	cmd.exe	35
PID 2600 wrote to memory of 2356	2600	cmd.exe	35
PID 2600 wrote to memory of 2356	2600	cmd.exe	35
PID 2600 wrote to memory of 604	2600	cmd.exe	36
PID 2600 wrote to memory of 604	2600	cmd.exe	36
PID 2600 wrote to memory of 604	2600	cmd.exe	36
PID 2600 wrote to memory of 588	2600	cmd.exe	37
PID 2600 wrote to memory of 588	2600	cmd.exe	37
PID 2600 wrote to memory of 588	2600	cmd.exe	37
PID 2600 wrote to memory of 2944	2600	cmd.exe	38
PID 2600 wrote to memory of 2944	2600	cmd.exe	38
PID 2600 wrote to memory of 2944	2600	cmd.exe	38
PID 2600 wrote to memory of 2524	2600	cmd.exe	39
PID 2600 wrote to memory of 2524	2600	cmd.exe	39
PID 2600 wrote to memory of 2524	2600	cmd.exe	39
PID 2600 wrote to memory of 2360	2600	cmd.exe	40
PID 2600 wrote to memory of 2360	2600	cmd.exe	40
PID 2600 wrote to memory of 2360	2600	cmd.exe	40
PID 2600 wrote to memory of 2360	2600	cmd.exe	40

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2524	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6ad64734986199bbf6d312318bd21cb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6ad64734986199bbf6d312318bd21cb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\svchost.cmd" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7z.exe
    7z.exe e file.zip -p___________4989pwd7163pwd24672___________ -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:604
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\system32\attrib.exe
    attrib +H "build.exe"
    3⤵
    - Views/modifies file attributes
    PID:2524
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\build.exe
    "build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\extracted\ANTISC~1.DAT

Filesize
2.0MB

MD5
bcab316486cda0775d0a76f5a782392d

SHA1
398bf40da616ae2c74de47000fcacadbf3a9d9cc

SHA256
175563dd45d266355008f8d76fdc9cbcf18ccc5e91938f3606177d0f5d85c0c3

SHA512
a6551fbc337d5921f5d780833d7d1465b1b3b1534249cae181137a5bb1c2af030a423091b061483fb83af17ff9d913ecc938802bd3c1aea03d109fcc1213db8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\extracted\build.exe

Filesize
681KB

MD5
96d1b0fa4c6aee94115fd9aabca9c314

SHA1
d9192841ca6b7734cbfbe7923689adc312c60f69

SHA256
cc60398f44ce27c6fa5371a59aca096fc7c75981a8537b6fd70e02f98a0f3319

SHA512
c37e3fde7da30405333c4062ee40ed4ad9a65262b4b7dc9f80bbde14d331237397616e6348cb64473ef02d3dcee93832a5364d12a8281a622adc1e8d2164846c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\extracted\file_1.zip

Filesize
364KB

MD5
5ffd000c555b4f40f733d26886fd7760

SHA1
f403b67c95614eac05418a7e381d503b106a9d35

SHA256
42102c1cabfc394ef4620bf7b77d35e30581570090bd8bfb3504a610e6705fae

SHA512
befbe7112df4067a4cd43a1c16d51859c62793442a2045e65b49b0b2359655349c7e5fe32f3c228dd4c06f400edacbcab6a5a5d26bc3962d089d4467d046a908

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\extracted\file_2.zip

Filesize
364KB

MD5
49ba66e357e18353a3a4cc8a44b5db6a

SHA1
1bd6097d576b863188be3bc146b152e4d73a2915

SHA256
54d571d6568e37ef4c0e0763c54f2dd835780b2fe16b9621a99f79c2eeb486bc

SHA512
df7dadc90cfbdeb3c8a207dca4b2ae64b7a9ef690876a5edcd521895c564c5f99025a8530f91bcb6a45c11d9b07689a7112ae756ac702793f8eda15e57b1abc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\extracted\file_3.zip

Filesize
364KB

MD5
537534f16abe4851c22697923b29e8bb

SHA1
28b074558572f522359995f98d3f246860dddeec

SHA256
b418a4f470fb5c882aa2b0efd4aa09c21d2f4058ad27ed68875fb0aa2c7c2b5f

SHA512
fd25d3bd60b9547408c46fd579f2f35fef3f019c17d1f05e43d3650529645ff3c13f1936fc3c353e4f03fdad1e74e81f992167c51edd4a5960436b46a0ef35fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\extracted\file_4.zip

Filesize
365KB

MD5
49de497fd8acc96048512c430c23c2c7

SHA1
018e1e63bcb983973222c38ef716674c4fd16d3f

SHA256
5dd337c84b190dd740cf4e2f0ef4f6d2f782b9c864e8f602defeba256b3b2197

SHA512
14430563f07c92509f163bd70235d01870f5d048fbfd3c57d12b366e14be37c46e8335e4b2aa491afa0df57fb2ce06683ede414423e95b7f74d16f22ae38b30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\extracted\file_5.zip

Filesize
1.8MB

MD5
039b09f6e70d6346a916a2ecb2a41d91

SHA1
0d521599f9f0fa30b83d328103353ff2caf24194

SHA256
3a284ae0be38faa0c524ad4692097c60dd1800fbe0553a303ee5a6fead15af53

SHA512
3df0c99cb8a8da0a8756810ca64f76b85ae826e65399a22ec630764e51205c8b9f616567a901823795c1f0997700e830018f733f2a52f6845831a2b1249c50bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\payload.data

Filesize
1.8MB

MD5
ac696573ab480f341c37897ec9400885

SHA1
4778e78b301c59ac57ea79f8cc7d138c1a77e3d0

SHA256
0dda8d2b2f2eb788aa58c4e79eccb6ebb8135c23e146b706c1d91964a47af3b9

SHA512
9f2db96a574968a34a57932e78f5a178a9e79f33b3027efdc1582c06bebc711b45d1ff3e274c43e6b20489bc50ff20f7c7752d5b3d23f289356443e3243a0784

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\svchost.cmd

Filesize
478B

MD5
c36c9e82ba11d5c0d7fd28c79edf3c1a

SHA1
e9d5d1528936e59d4ea2c26c5e4c05e959ebf538

SHA256
37112a667c9c050e123434c4a501e5ed445dd30917a8b5061703cfe8f1f51728

SHA512
dae6c1a4f0ccf2aa25d0611f8c419ae516e6544786d44cb2a3a02bfb3dacc9ec45e906fdd48c705cc96136491b9bebb074118d5558b08fa708ee329bb4534c8f

Download Submit