General

  • Target

    36e8030d0946c331b4a667385163cb72_JaffaCakes118

  • Size

    537KB

  • Sample

    240511-2jxkqafa98

  • MD5

    36e8030d0946c331b4a667385163cb72

  • SHA1

    4ea151afd9a99d82b7f9bbdeda9de9268e16cf5d

  • SHA256

    8f635cc8326d76a55e41207ea05fc883cfaf7814c5f4a9004780011309504431

  • SHA512

    5373fb48f7344f5e754e5ba5aa9098011b98863fbfdc4a8a4a37515692f606d6b5038c732a97d9d1317965fe3e6b2f26fba0f4f17f922f5e79577607016b62b1

  • SSDEEP

    12288:ad6E5JTIFqdt2yHczPA1ZQ6UVIrSAa5iQF4Na:ad55JTvtHcuQ6UVIDa5i8O

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    alibaba123

Targets

    • Target

      36e8030d0946c331b4a667385163cb72_JaffaCakes118

    • Size

      537KB

    • MD5

      36e8030d0946c331b4a667385163cb72

    • SHA1

      4ea151afd9a99d82b7f9bbdeda9de9268e16cf5d

    • SHA256

      8f635cc8326d76a55e41207ea05fc883cfaf7814c5f4a9004780011309504431

    • SHA512

      5373fb48f7344f5e754e5ba5aa9098011b98863fbfdc4a8a4a37515692f606d6b5038c732a97d9d1317965fe3e6b2f26fba0f4f17f922f5e79577607016b62b1

    • SSDEEP

      12288:ad6E5JTIFqdt2yHczPA1ZQ6UVIrSAa5iQF4Na:ad55JTvtHcuQ6UVIDa5i8O

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks