General

  • Target

    39adfb2b1182f59ba03df4dd265e3350_JaffaCakes118

  • Size

    607KB

  • Sample

    240512-mpv7hsef58

  • MD5

    39adfb2b1182f59ba03df4dd265e3350

  • SHA1

    d96633cc50f6466457707c3e2a3715b233d3a429

  • SHA256

    3ef226b12ec5f7a382c884432ae146f8324b6c938383aa14f3f73407ba16d031

  • SHA512

    0e722e476bacc44ab754f3bd4b39b828863615a1913bf1e133284923e39785fb7523a0a31d604fa20ad091eaae81f0c6e0c1fbaa45b0f72d8b7743d1c659afe2

  • SSDEEP

    12288:5xK0O5VBPAt/GhPKp8AjCWiGJWu5b79Om1ZZX5wlYcSksCsi:X45VBPAEPKp8AjnNJd/9OKZTZIsi

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    predpainalt@gmail.com
  • Password:
    Lilhero56

Targets

    • Target

      39adfb2b1182f59ba03df4dd265e3350_JaffaCakes118

    • Size

      607KB

    • MD5

      39adfb2b1182f59ba03df4dd265e3350

    • SHA1

      d96633cc50f6466457707c3e2a3715b233d3a429

    • SHA256

      3ef226b12ec5f7a382c884432ae146f8324b6c938383aa14f3f73407ba16d031

    • SHA512

      0e722e476bacc44ab754f3bd4b39b828863615a1913bf1e133284923e39785fb7523a0a31d604fa20ad091eaae81f0c6e0c1fbaa45b0f72d8b7743d1c659afe2

    • SSDEEP

      12288:5xK0O5VBPAt/GhPKp8AjCWiGJWu5b79Om1ZZX5wlYcSksCsi:X45VBPAEPKp8AjnNJd/9OKZTZIsi

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks