pandastealer | 12ea95d36207191230b40421226f81333db636fc04e46b3459b914bb616e9550

Analysis

max time kernel
1s
max time network
0s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
Size

1.8MB
MD5

8a1a868a140dc10c47ceb377b764c9de
SHA1

467a1d1875b1e65140010687304c40c15a89b73a
SHA256

12ea95d36207191230b40421226f81333db636fc04e46b3459b914bb616e9550
SHA512

83995bd4dd5b13206b1af7b5402a3f5e5a115a47a426b63a2b151a10c54ce7fcf98aa701ef6d49f8de0fc20fd9414a22bdf56a90e0934e47e748c259a92b457b
SSDEEP

49152:0hzRz4om5ylz+PysnyKg+ol4MQSvuhTByHdcuvkQ1:YlzH0yxktyTWgoTBacuvkQ1

Score

10^/10

pandastealer aspackv2 discovery stealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014bef-39.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00070000000152aa-25.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2800	cxfplay.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\RichEditHandler.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\RichEditHandler.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\rvcomlib.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\rvnw.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\cc.dat	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\cc.dat	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259411207	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\RAViewerModule.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\rvcomlib.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\rvnw.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\RAViewerModule.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\rvcore.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\rvcore.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\yyxf_play.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\yyxf_play.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\cxfplay.exe	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\cxfplay.exe	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxfplay.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	cxfplay.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2800	cxfplay.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2800	2076	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe	28
PID 2076 wrote to memory of 2800	2076	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe	28
PID 2076 wrote to memory of 2800	2076	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe	28
PID 2076 wrote to memory of 2800	2076	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe	28
PID 2076 wrote to memory of 2800	2076	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe	28
PID 2076 wrote to memory of 2800	2076	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe	28
PID 2076 wrote to memory of 2800	2076	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe	28

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\windows\cxfplay.exe
  "C:\windows\cxfplay.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2800
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cxfplay.exe

Filesize
1.4MB

MD5
1094990dfd12238269e78bda2d3c2ae3

SHA1
11f2df2161a0a3203a626d35ab8fbb2e179642c5

SHA256
4acb7bea58429e8a545ccf15bf7033fc472566f49c139a068fb0daba0206151b

SHA512
bd3e2fb294fea015ae28bd78f261d291d3452c7291aea14136714a7a3c28fbbc2d26852a4f7f91068df7b2d9fd0cbd585d36c7faebb56767a90feda19910c367

Download Submit
C:\windows\RAViewerModule.dll

Filesize
365KB

MD5
92acb83043ccffe56719ecbdbb092a66

SHA1
83623fc16ded4f0f78159cf76d8757739953d352

SHA256
ef27f7e567581d3e047c7f8350737eb2ab48508d4ebd8de17973cbeb2b2b0b50

SHA512
ba72407323436f674a9f63db7d508b96e64647afbee16b92327bbeac6846ba980b7cbcfd125134f30527bb8dc27610852e00d725f905580c8de8979c84d51323

Download Submit
C:\windows\RichEditHandler.dll

Filesize
81KB

MD5
7e6ddd4b25edc57b7f881e02c244714e

SHA1
ae5ebc627985d67873a55e801b12019ae42233c9

SHA256
58561ddc27c9a071ddc8a49e121face7b337f1a954afa3a92baeafed0d6d06cc

SHA512
00aeb20752268099011a8f1c3ce873b3f3f20b64ade8d19ef22a0877f7b6e469885fecb2e54b14ab6c521c9ec232960dbb5ddf219b9f5e9c006a51965897251c

Download Submit
C:\windows\cc.dat

Filesize
860KB

MD5
5a0f0482e44006b1f38edbde2ef6e11e

SHA1
9ba443ce3e71e0e63e198460514e32ee29ee5ed1

SHA256
6d63c0be51502d584018366d55967a28b08257faaeb610924231b28e026b89a0

SHA512
6dab61877ce90be2c86c495dbcb9f5a96c88a936dda1ec0db8618d258b02a45232d61c2412ca12040bc0f8a92bbd3ecaf4c0c1f901998cc9af5d4c9f2e6bd83a

Download Submit
C:\windows\cxfplay.exe

Filesize
139KB

MD5
578dc1cc55df7c43fc2b66fddf69021e

SHA1
066258c853a2df82b65ffdb2aa38e40b36b9d4a2

SHA256
b1a6f2ee8d7f4fcadce35e1ffd0f97c9f5bf5aa471e29c3bf077df2848738c6d

SHA512
69cdec6a305c0bbd5fc0e53113f68f5067e4cb1e49353d2f435ebd655aace8331b49a65aa1dfdc2a17fbaca288864d8bf7f73deb74d7a530f1038db78ff7096b

Download Submit
C:\windows\rvcomlib.dll

Filesize
425KB

MD5
c52b22e50c23987bb3a1881ea29e352d

SHA1
8f38b3dfe06e9a2dbd9d209eb4114eaa334e4e36

SHA256
504c919e9806d4739e9985ca66ce8233027d0637adb4864e403a4f6aa930b174

SHA512
a44bc014549d44af59c13e7ea9c4f3a4126cb18d99a13619ca24c694b0d06678970d972526f84eed8ce4d76d0f2f9d710a4a65213589c4ac4e48e20986229c1b

Download Submit
C:\windows\rvcore.dll

Filesize
256KB

MD5
c43ee5a72e44b4bf97d4a1de2e6ffc63

SHA1
20ad68a2118a8816d44c1578780db5d2fcbb7aca

SHA256
4b6462504d263931594fb62167f73dea38176747cbe5cb4847f070b9aa9065bd

SHA512
e7d0e976e12c3e16659f133a0fa96b1a2732461194d61ae25932bb0420fa0ad29a9e859871349046f6c8d896f6055f72fec5ab166ac6c39cfa87a4d10bc69c8b

Download Submit
C:\windows\rvnw.dll

Filesize
397KB

MD5
b2f30d7414dc32fec99599f005aef947

SHA1
27fe258b373b1b9f1b1c103b6e2f1a9e0a8b56e1

SHA256
b94fe242c8ee5e7f740d35a86e56a2a9782ccd7721c9486630c8301eb408dc0e

SHA512
9cd8956f6c73a9537ecb623d3b02658be3741970263e72b7abb20be4b5f1a135dec3559442364279e9936ecf64aaa5d7eaa83cd88ae0fd126c41100197f9b877

Download Submit
C:\windows\yyxf_play.dll

Filesize
352KB

MD5
7512d9837e5cebe31a47f1a400ac90ff

SHA1
e9d35167edb2fcac5f1cb3d4edafdd3f590e1e71

SHA256
2ef3024ea05d61d9353aad9b4496fd88ebf6e1df0765b650c45342ad0b58b5db

SHA512
cf1fd937d36b38a3c53585d524341d78ebea3f8e5731f1c33acb7531efae7b5ac35f6a373c604ad0ad04bb8f9411b8e78a08815bbd571ce24493a5bd39c51382

Download Submit
memory/2800-27-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2800-29-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2800-28-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2800-31-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2800-30-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2800-26-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download