General

  • Target

    2474d228dd56d4f2e2998c51c01a677e_JaffaCakes118

  • Size

    949KB

  • Sample

    240508-mpe6asgc7w

  • MD5

    2474d228dd56d4f2e2998c51c01a677e

  • SHA1

    80d9139b2346234e11e89963e24c070029aa8ea2

  • SHA256

    068d2f2923daf2dc3218a6c0caffab5880e3de0a76605794d47cad04b0a76805

  • SHA512

    684e6e7bb35ed413cae007ce97484db7065834d2a9d89b46cfc211c0d06b3f810547bb5f308501c01ae7b6760554039e06c288dde3731db8d7536ea0ec3ccb4a

  • SSDEEP

    24576:Io/1hsjCO3mFQSWhq0ddip3wQtRZdAWFd6xc0Zg7iq:z1hxO37s0fYntiWFd66Gg7iq

Malware Config

Targets

    • Target

      2474d228dd56d4f2e2998c51c01a677e_JaffaCakes118

    • Size

      949KB

    • MD5

      2474d228dd56d4f2e2998c51c01a677e

    • SHA1

      80d9139b2346234e11e89963e24c070029aa8ea2

    • SHA256

      068d2f2923daf2dc3218a6c0caffab5880e3de0a76605794d47cad04b0a76805

    • SHA512

      684e6e7bb35ed413cae007ce97484db7065834d2a9d89b46cfc211c0d06b3f810547bb5f308501c01ae7b6760554039e06c288dde3731db8d7536ea0ec3ccb4a

    • SSDEEP

      24576:Io/1hsjCO3mFQSWhq0ddip3wQtRZdAWFd6xc0Zg7iq:z1hxO37s0fYntiWFd66Gg7iq

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks