General

  • Target

    3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118

  • Size

    1.4MB

  • Sample

    240514-bg5v7sde57

  • MD5

    3d539afa84c194e6ee2743e9a1d3d63b

  • SHA1

    f34fce9ffd3fbcc0301750f57829f44648d462b7

  • SHA256

    df44027aba6ccfa93994b556ec0ad139e0ed41f36510fdea9c17e378f48da80f

  • SHA512

    b506340f78580708b1afed9ecc24ea228044b1e3d23d9f09fb3944ec24d99d7d630e4ab62a265fac1d4b95aaf0064d0e1087a972ce9bffda7b4f31617cdc773b

  • SSDEEP

    24576:xs2iC2EShf8IZkfFnnq8G1JyqTBa1Wp8JcQmao54XBddNl7kQD2arhnch6taluTC:5zm8IiZqbA/1Wv8XBV+HluTI5L

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.zoho.com
  • Port:
    587
  • Username:
    bmt0147@zoho.com
  • Password:
    uchenna4real

Targets

    • Target

      3d539afa84c194e6ee2743e9a1d3d63b_JaffaCakes118

    • Size

      1.4MB

    • MD5

      3d539afa84c194e6ee2743e9a1d3d63b

    • SHA1

      f34fce9ffd3fbcc0301750f57829f44648d462b7

    • SHA256

      df44027aba6ccfa93994b556ec0ad139e0ed41f36510fdea9c17e378f48da80f

    • SHA512

      b506340f78580708b1afed9ecc24ea228044b1e3d23d9f09fb3944ec24d99d7d630e4ab62a265fac1d4b95aaf0064d0e1087a972ce9bffda7b4f31617cdc773b

    • SSDEEP

      24576:xs2iC2EShf8IZkfFnnq8G1JyqTBa1Wp8JcQmao54XBddNl7kQD2arhnch6taluTC:5zm8IiZqbA/1Wv8XBV+HluTI5L

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks