Overview

overview

9

Static

static

3

0a31f5fc65...18.exe

windows7-x64

9

0a31f5fc65...18.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240430-vw2a4sbe6t

  • MD5

    0a31f5fc650f2b93a36a1c095714b78a

  • SHA1

    71b3367011357f8f66c50cee1dc3e331e631933d

  • SHA256

    796d20b44f82b2f28d9f1da9055e1ff84c2e8ac85447b9a53c3f6e8937a54897

  • SHA512

    02742e500fe70ddd5bdff9e6a0ab1b50a679590eab168034a07aca92f58dd539f294561ee3f631716a64c2002ff90a78595fd678e0ec9c7fb307e9843d0a4d75

  • SSDEEP

    24576:wQ1bLFCAXperrOUj6k7ZqC30n5HOUZxfHQAPGuIHpc:wQ1bLk7ZxMdRkp

Score
9/10
collectionpersistence

Malware Config

Targets

    • Target

      0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118

    • Size

      1.1MB

    • MD5

      0a31f5fc650f2b93a36a1c095714b78a

    • SHA1

      71b3367011357f8f66c50cee1dc3e331e631933d

    • SHA256

      796d20b44f82b2f28d9f1da9055e1ff84c2e8ac85447b9a53c3f6e8937a54897

    • SHA512

      02742e500fe70ddd5bdff9e6a0ab1b50a679590eab168034a07aca92f58dd539f294561ee3f631716a64c2002ff90a78595fd678e0ec9c7fb307e9843d0a4d75

    • SSDEEP

      24576:wQ1bLFCAXperrOUj6k7ZqC30n5HOUZxfHQAPGuIHpc:wQ1bLk7ZxMdRkp

    Score
    9/10
    collectionpersistence

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks