General

  • Target

    0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240430-vw2a4sbe6t

  • MD5

    0a31f5fc650f2b93a36a1c095714b78a

  • SHA1

    71b3367011357f8f66c50cee1dc3e331e631933d

  • SHA256

    796d20b44f82b2f28d9f1da9055e1ff84c2e8ac85447b9a53c3f6e8937a54897

  • SHA512

    02742e500fe70ddd5bdff9e6a0ab1b50a679590eab168034a07aca92f58dd539f294561ee3f631716a64c2002ff90a78595fd678e0ec9c7fb307e9843d0a4d75

  • SSDEEP

    24576:wQ1bLFCAXperrOUj6k7ZqC30n5HOUZxfHQAPGuIHpc:wQ1bLk7ZxMdRkp

Malware Config

Targets

    • Target

      0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118

    • Size

      1.1MB

    • MD5

      0a31f5fc650f2b93a36a1c095714b78a

    • SHA1

      71b3367011357f8f66c50cee1dc3e331e631933d

    • SHA256

      796d20b44f82b2f28d9f1da9055e1ff84c2e8ac85447b9a53c3f6e8937a54897

    • SHA512

      02742e500fe70ddd5bdff9e6a0ab1b50a679590eab168034a07aca92f58dd539f294561ee3f631716a64c2002ff90a78595fd678e0ec9c7fb307e9843d0a4d75

    • SSDEEP

      24576:wQ1bLFCAXperrOUj6k7ZqC30n5HOUZxfHQAPGuIHpc:wQ1bLk7ZxMdRkp

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks