General

  • Target

    376e4110cce96ef8a42111ad85ac3299_JaffaCakes118

  • Size

    688KB

  • Sample

    240512-bctx5sgh8v

  • MD5

    376e4110cce96ef8a42111ad85ac3299

  • SHA1

    380dab29d003554f08f962ade60643ee7c7038b4

  • SHA256

    95ed3c8879e41b50d66ab9266db5e2d254d0e28f9fb60026af9a96867078bfe9

  • SHA512

    508e1ebf0625f688ddde319327757ff559cd95283ddc19a03832f3fd7f26e5ecd4831b798247bbffe5fd901b4981b5f625838ac7fd0abcc52d71734c438b7f0f

  • SSDEEP

    12288:BNQtoZy1y5KChnBWaAn1TyRhEC+kF9j+8neLwZtv43GZ5W4qNmQhCb:BNio0/IpqTybEC+g9wLoQGdqkQhG

Malware Config

Targets

    • Target

      ORDER SHEET/ORDER SHEET 1.exe

    • Size

      550KB

    • MD5

      dd178d434937b7482e5a9f7c1a807d24

    • SHA1

      10e0dd5f0b95babf7072bf35dbd786ad408def16

    • SHA256

      84053f784641d90e9b053ffcb2e07e95e84f2f647317a4dd716ebca9fc9ac539

    • SHA512

      9073b5817779a12d6eb5091ed69f6ca28ac5c92dbe6dadce66b0a098a2c8289b42c189589ce8a94593baab0f381b491dc9af291cb68f8c787e356a746780c56d

    • SSDEEP

      12288:2rUQtoZo1W5EChbp0aKXRTyRdIYSkF9jO8ng1wNfv4fa9/K:2QiomnGfUTyLIYSg9m1+map

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      ORDER SHEET/ORDER SHEET 2.exe

    • Size

      148KB

    • MD5

      d316580dcafdf8c6f54b83c5e2f3b292

    • SHA1

      503cea589b84ed32013ca9405351f6765c78c6ac

    • SHA256

      0c9b03e927a345e73ce00a71115b9eddf2d77473ca94981bd1a2aaeefcf804c3

    • SHA512

      4e69f1dbc1f133eb0b3f6b1e7d5d344e466356bc6aabb7d84cda47ad646845cde9f0aabf7cf27deb8b32cac1388a7f875b2824eda2c4fe8030fec3b293d25d89

    • SSDEEP

      3072:ICfdFNO841lskf4jpmNpglNMLdSfJnHPt/y894L9tqN0suD:IsF084jfgNmP4HTRksu

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Collection

Email Collection

1
T1114

Tasks