General

  • Target

    28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118

  • Size

    644KB

  • Sample

    240509-jlkptsgb4w

  • MD5

    28fbf26d76059fb5f277eaae5b7f894b

  • SHA1

    8bf8f4ccadd44da372359a31598856e187dc5b1f

  • SHA256

    97b1a0a2a2f05f22c3f9ac4152e34ad4d629c577ea9425020d5f8ce204d583d0

  • SHA512

    2db87c5f04edbfee71575ca045dd96e694e75b0c84a7400e01ba429af44987052d7b7b694bdbc5ef808b917d1f39d6ab6f521b40d895e3c1d8da938450800660

  • SSDEEP

    12288:q0wKEpZHDQi7vhMgWMzU9l9fDWmSsLbpnHrM8DoiQQWpH3UMQ9fp6zgJGE0:1Ejki75MTSCaaLbpnQ/zpU9ozMa

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    secure.emailsrvr.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Wako2j22#

Targets

    • Target

      28fbf26d76059fb5f277eaae5b7f894b_JaffaCakes118

    • Size

      644KB

    • MD5

      28fbf26d76059fb5f277eaae5b7f894b

    • SHA1

      8bf8f4ccadd44da372359a31598856e187dc5b1f

    • SHA256

      97b1a0a2a2f05f22c3f9ac4152e34ad4d629c577ea9425020d5f8ce204d583d0

    • SHA512

      2db87c5f04edbfee71575ca045dd96e694e75b0c84a7400e01ba429af44987052d7b7b694bdbc5ef808b917d1f39d6ab6f521b40d895e3c1d8da938450800660

    • SSDEEP

      12288:q0wKEpZHDQi7vhMgWMzU9l9fDWmSsLbpnHrM8DoiQQWpH3UMQ9fp6zgJGE0:1Ejki75MTSCaaLbpnQ/zpU9ozMa

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Collection

Email Collection

1
T1114

Tasks