General

  • Target

    207d960c0ac8ec72d7d9f56a5ccf5f34_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240507-n2mxcahc99

  • MD5

    207d960c0ac8ec72d7d9f56a5ccf5f34

  • SHA1

    4d78705382b3957f64a99ecba7fda2b87f36bc79

  • SHA256

    112390bb646fa1d763c3189bb4e70b90f815a268158f1d43144ecd15e0194a46

  • SHA512

    f0f2b4d41f32f36aa0014159e706c7b1486a60108fb2bcc512d22a939e690efcb855c117feb2b57c12dd754b4842cf866d32c9b7843390449f6e36f0670b31f5

  • SSDEEP

    12288:28yIy581Qv8yIy581QXZEq+a22jPwvDI2B8WnXYRLB2LsC3Lg9XgyAeX1+c:wn8m/n8mOq/dPwsO8CIRLrC6Q5

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    myrecords1248

Targets

    • Target

      207d960c0ac8ec72d7d9f56a5ccf5f34_JaffaCakes118

    • Size

      1.1MB

    • MD5

      207d960c0ac8ec72d7d9f56a5ccf5f34

    • SHA1

      4d78705382b3957f64a99ecba7fda2b87f36bc79

    • SHA256

      112390bb646fa1d763c3189bb4e70b90f815a268158f1d43144ecd15e0194a46

    • SHA512

      f0f2b4d41f32f36aa0014159e706c7b1486a60108fb2bcc512d22a939e690efcb855c117feb2b57c12dd754b4842cf866d32c9b7843390449f6e36f0670b31f5

    • SSDEEP

      12288:28yIy581Qv8yIy581QXZEq+a22jPwvDI2B8WnXYRLB2LsC3Lg9XgyAeX1+c:wn8m/n8mOq/dPwsO8CIRLrC6Q5

    • Detect ZGRat V1

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks