General
-
Target
ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118
-
Size
1.3MB
-
Sample
240421-qe6r2sce7w
-
MD5
ff59b59d6fb138bd3a588d89ea0fa1d7
-
SHA1
fad22ded5983e8d5a9bffa398c3281670e496f46
-
SHA256
8e1c67e8ed76591ed779773be365b2b66440d958f1bf3556d4512f71836c3d2f
-
SHA512
7c3017e263d812bac1ad57bf4ed4371fe7414cbde8af077e507811a9ce538d1fdbbb5d396f355792dae67cdf9c25e3b0128a036816d74a48ad68c62e5109054e
-
SSDEEP
24576:x6qt46zuDJ+ssHguZbtg2aLJ5eKSKmR9Fmt5J2NY9/:xZqARsV5VmFmzJ2M/
Static task
static1
Behavioral task
behavioral1
Sample
ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.merchantexint.com - Port:
587 - Username:
[email protected] - Password:
merW&13@
Targets
-
-
Target
ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118
-
Size
1.3MB
-
MD5
ff59b59d6fb138bd3a588d89ea0fa1d7
-
SHA1
fad22ded5983e8d5a9bffa398c3281670e496f46
-
SHA256
8e1c67e8ed76591ed779773be365b2b66440d958f1bf3556d4512f71836c3d2f
-
SHA512
7c3017e263d812bac1ad57bf4ed4371fe7414cbde8af077e507811a9ce538d1fdbbb5d396f355792dae67cdf9c25e3b0128a036816d74a48ad68c62e5109054e
-
SSDEEP
24576:x6qt46zuDJ+ssHguZbtg2aLJ5eKSKmR9Fmt5J2NY9/:xZqARsV5VmFmzJ2M/
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-