General
-
Target
eb85c8d233bbc43b89d451aa8980218e_JaffaCakes118
-
Size
416KB
-
Sample
240410-t8glsshc7w
-
MD5
eb85c8d233bbc43b89d451aa8980218e
-
SHA1
e182f64c338e843fe492949ed6011a2492849013
-
SHA256
2e1064e3bd2d37cd96495c01f326d4a543b77e38045a983e93e99a4704df206f
-
SHA512
0173784e53521d4a789d69330e241b05cc14e7c27cb7559dc7be65296c5d27bbae4ff9c17f46878ee9654f8f05c116663cab24aa206ebe3943cda02e85bfd335
-
SSDEEP
6144:XNqXQgfMkh5eWDbhj4uhxGdkrpNJfet3Agp0q9ygbX+1RzDU8:9qXQgUk5d44xGONJsaMJcR/V
Behavioral task
behavioral1
Sample
eb85c8d233bbc43b89d451aa8980218e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eb85c8d233bbc43b89d451aa8980218e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
blackguard
https://api.telegram.org/bot1711224512:AAG22Nlr-jO4MyOqR-e8u_WyFQ4Bw7rDtVw/sendMessage?chat_id=1640241476
Targets
-
-
Target
eb85c8d233bbc43b89d451aa8980218e_JaffaCakes118
-
Size
416KB
-
MD5
eb85c8d233bbc43b89d451aa8980218e
-
SHA1
e182f64c338e843fe492949ed6011a2492849013
-
SHA256
2e1064e3bd2d37cd96495c01f326d4a543b77e38045a983e93e99a4704df206f
-
SHA512
0173784e53521d4a789d69330e241b05cc14e7c27cb7559dc7be65296c5d27bbae4ff9c17f46878ee9654f8f05c116663cab24aa206ebe3943cda02e85bfd335
-
SSDEEP
6144:XNqXQgfMkh5eWDbhj4uhxGdkrpNJfet3Agp0q9ygbX+1RzDU8:9qXQgUk5d44xGONJsaMJcR/V
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-