General
-
Target
02dd9098e44ae9cbb82520b66b925461_JaffaCakes118
-
Size
1.1MB
-
Sample
240427-kqpp1sfg2z
-
MD5
02dd9098e44ae9cbb82520b66b925461
-
SHA1
90f2ced6f6fc6d9aa1e90e0263c6ffdde1ad5d62
-
SHA256
693a986d4a416a8baa4c39cf4280b648f19add9ad5ed73577432dfc59424e1da
-
SHA512
cd5c7dda02c2c4bb712548d62c79d83638cff98dd3fc07907672a2e32138722c76f8334e9b8aa7de4c0f99264c21ac60b03a638fdd83f9bd3cacfce5014be8d7
-
SSDEEP
24576:Yk70TrcW8O5xBPNU5vNC2eJ0p7YSyohIF0+aca3qMvURpq/FFdCUVfZaVd:YkQTAHJeJJSyouF0PP8q/F3RM
Static task
static1
Behavioral task
behavioral1
Sample
02dd9098e44ae9cbb82520b66b925461_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
02dd9098e44ae9cbb82520b66b925461_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
vidar
4.9
147
http://benediktonpoins.ug/
-
profile_id
147
Targets
-
-
Target
02dd9098e44ae9cbb82520b66b925461_JaffaCakes118
-
Size
1.1MB
-
MD5
02dd9098e44ae9cbb82520b66b925461
-
SHA1
90f2ced6f6fc6d9aa1e90e0263c6ffdde1ad5d62
-
SHA256
693a986d4a416a8baa4c39cf4280b648f19add9ad5ed73577432dfc59424e1da
-
SHA512
cd5c7dda02c2c4bb712548d62c79d83638cff98dd3fc07907672a2e32138722c76f8334e9b8aa7de4c0f99264c21ac60b03a638fdd83f9bd3cacfce5014be8d7
-
SSDEEP
24576:Yk70TrcW8O5xBPNU5vNC2eJ0p7YSyohIF0+aca3qMvURpq/FFdCUVfZaVd:YkQTAHJeJJSyouF0PP8q/F3RM
-
Vidar Stealer
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-