Overview

overview

10

Static

static

3

2ba3cd628f...18.exe

windows7-x64

10

2ba3cd628f...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2ba3cd628ff02e6db45ae46778560953_JaffaCakes118

  • Size

    2.0MB

  • Sample

    240509-zl1ztahb27

  • MD5

    2ba3cd628ff02e6db45ae46778560953

  • SHA1

    243a4d48ab4b6791c8bff0d58d878826f7dd9bec

  • SHA256

    225d469955bed2ee317957e80a774ee37d51dd48fff41c5e8b75eb386bc9a666

  • SHA512

    058c29447f73cab7115e0ce81bf43ac4bb3dd0fccd7da176ba03441770b25d4ff35239d3c0a67812d05c99d13c4b6d6e502233fedf6789a8f58ddd0099a3ccd9

  • SSDEEP

    12288:q3mGI2uttEwDfl1o34BWQXyyTN0ebL9jObeIumkgVs4fyLh0jrBF1vpjlfBGHV4s:jX1rUm1bhaf9lqpIcN1H5

Score
10/10
m00nd3v_loggercollectionevasioninfostealerspywarestealer

Malware Config

Targets

    • Target

      2ba3cd628ff02e6db45ae46778560953_JaffaCakes118

    • Size

      2.0MB

    • MD5

      2ba3cd628ff02e6db45ae46778560953

    • SHA1

      243a4d48ab4b6791c8bff0d58d878826f7dd9bec

    • SHA256

      225d469955bed2ee317957e80a774ee37d51dd48fff41c5e8b75eb386bc9a666

    • SHA512

      058c29447f73cab7115e0ce81bf43ac4bb3dd0fccd7da176ba03441770b25d4ff35239d3c0a67812d05c99d13c4b6d6e502233fedf6789a8f58ddd0099a3ccd9

    • SSDEEP

      12288:q3mGI2uttEwDfl1o34BWQXyyTN0ebL9jObeIumkgVs4fyLh0jrBF1vpjlfBGHV4s:jX1rUm1bhaf9lqpIcN1H5

    Score
    10/10
    m00nd3v_loggerevasioninfostealerspywarestealercollection

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

      stealerspywarem00nd3v_logger

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • M00nD3v Logger payload

      Detects M00nD3v Logger payload in memory.

      infostealer

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks