General

  • Target

    2ba3cd628ff02e6db45ae46778560953_JaffaCakes118

  • Size

    2.0MB

  • Sample

    240509-zl1ztahb27

  • MD5

    2ba3cd628ff02e6db45ae46778560953

  • SHA1

    243a4d48ab4b6791c8bff0d58d878826f7dd9bec

  • SHA256

    225d469955bed2ee317957e80a774ee37d51dd48fff41c5e8b75eb386bc9a666

  • SHA512

    058c29447f73cab7115e0ce81bf43ac4bb3dd0fccd7da176ba03441770b25d4ff35239d3c0a67812d05c99d13c4b6d6e502233fedf6789a8f58ddd0099a3ccd9

  • SSDEEP

    12288:q3mGI2uttEwDfl1o34BWQXyyTN0ebL9jObeIumkgVs4fyLh0jrBF1vpjlfBGHV4s:jX1rUm1bhaf9lqpIcN1H5

Malware Config

Targets

    • Target

      2ba3cd628ff02e6db45ae46778560953_JaffaCakes118

    • Size

      2.0MB

    • MD5

      2ba3cd628ff02e6db45ae46778560953

    • SHA1

      243a4d48ab4b6791c8bff0d58d878826f7dd9bec

    • SHA256

      225d469955bed2ee317957e80a774ee37d51dd48fff41c5e8b75eb386bc9a666

    • SHA512

      058c29447f73cab7115e0ce81bf43ac4bb3dd0fccd7da176ba03441770b25d4ff35239d3c0a67812d05c99d13c4b6d6e502233fedf6789a8f58ddd0099a3ccd9

    • SSDEEP

      12288:q3mGI2uttEwDfl1o34BWQXyyTN0ebL9jObeIumkgVs4fyLh0jrBF1vpjlfBGHV4s:jX1rUm1bhaf9lqpIcN1H5

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • Looks for VirtualBox Guest Additions in registry

    • M00nD3v Logger payload

      Detects M00nD3v Logger payload in memory.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks