Extracted

• • Target

    207d960c0ac8ec72d7d9f56a5ccf5f34_JaffaCakes118

  • Size

    1.1MB

  • MD5

    207d960c0ac8ec72d7d9f56a5ccf5f34

  • SHA1

    4d78705382b3957f64a99ecba7fda2b87f36bc79

  • SHA256

    112390bb646fa1d763c3189bb4e70b90f815a268158f1d43144ecd15e0194a46

  • SHA512

    f0f2b4d41f32f36aa0014159e706c7b1486a60108fb2bcc512d22a939e690efcb855c117feb2b57c12dd754b4842cf866d32c9b7843390449f6e36f0670b31f5

  • SSDEEP

    12288:28yIy581Qv8yIy581QXZEq+a22jPwvDI2B8WnXYRLB2LsC3Lg9XgyAeX1+c:wn8m/n8mOq/dPwsO8CIRLrC6Q5

  Score

  10^/10

  hawkeyezgratagilenetcollectionkeyloggerpersistenceratspywarestealertrojan

  • Detect ZGRat V1

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2