socelars | 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe
Size

1.9MB
MD5

abf7e26171a76f84b7548c70e4211c7b
SHA1

ffd622d897d936d5abf2bde3ad9ffad669987ceb
SHA256

7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b
SHA512

0667bf7a70c2094fd5cb376de9a17a5dd66cfce32084276ea10011d80260a73f2ccf0ad3c0f8e35754fed09d9d3aaddd053cebad1581ae77db8c35c1cc3887e1
SSDEEP

49152:7cW4fJo1uk6WT2IT6kv/NOgEg9Yj9d+AGx5RsSwm:7X4xLk9T2G6E/Wd+lVsSwm

Score

10^/10

socelars discovery stealer upx

Malware Config

Extracted

Family

socelars

http://www.createinfo.pw/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe	upx
behavioral1/memory/2556-22-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2556-33-0x0000000000400000-0x0000000000541000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Executes dropped EXE 2 IoCs

Processes:

abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmpDiskScan.exe

pid process

1872 abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
2556 DiskScan.exe

pid	process
1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
2556	DiskScan.exe

Loads dropped DLL 9 IoCs

Processes:

abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exeabf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmpWerFault.exe

pid	process
832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe
1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2608 2556 WerFault.exe DiskScan.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp

pid process

1872 abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
1872 abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp

pid process

1872 abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp

pid	pid_target	process	target process
2608	2556	WerFault.exe	DiskScan.exe

pid	process
1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp

pid	process
1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exeabf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmpDiskScan.exe

description	pid	process	target process
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
PID 832 wrote to memory of 1872	832	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
PID 1872 wrote to memory of 2556	1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp	DiskScan.exe
PID 1872 wrote to memory of 2556	1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp	DiskScan.exe
PID 1872 wrote to memory of 2556	1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp	DiskScan.exe
PID 1872 wrote to memory of 2556	1872	abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp	DiskScan.exe
PID 2556 wrote to memory of 2608	2556	DiskScan.exe	WerFault.exe
PID 2556 wrote to memory of 2608	2556	DiskScan.exe	WerFault.exe
PID 2556 wrote to memory of 2608	2556	DiskScan.exe	WerFault.exe
PID 2556 wrote to memory of 2608	2556	DiskScan.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\is-RIVFM.tmp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RIVFM.tmp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp" /SL5="$40112,1302781,816640,C:\Users\Admin\AppData\Local\Temp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 664
4⤵
- Loads dropped DLL
- Program crash
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-RIVFM.tmp\abf7e26171a76f84b7548c70e4211c7b_JaffaCakes118.tmp
Filesize
2.5MB

MD5
066108c4b0102357ebdaf3791ba38fe8

SHA1
59e9e8043232169c0554e350c233433b0bc4c83c

SHA256
a720dd6efcd1910ea490c0095ff0efa36eb5228712e61294eeb4b3072715c035

SHA512
a2bb074f042d7214536083dfe341da9dafe1d170cf52e9c0f4ff0041f959d4a28cc6be9cb0e5ec3adf63188d658332b7440d6b5ac8e02af2801e7f34a04acad2

Download Submit
\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe
Filesize
569KB

MD5
eab34089ba89eb30bab4d46d0d1d7c63

SHA1
676f13707c42ff4b0324ae9854096729f7541d0f

SHA256
13f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78

SHA512
c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e

Download Submit
memory/832-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/832-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/832-25-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1872-9-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download
memory/1872-20-0x00000000043D0000-0x0000000004511000-memory.dmp

Filesize
1.3MB

Download
memory/1872-24-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download
memory/2556-22-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2556-33-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download