General

  • Target

    4a0fcda50ccb462074bb348ddaa031d2_JaffaCakes118

  • Size

    959KB

  • Sample

    240516-jmg1bsaf8v

  • MD5

    4a0fcda50ccb462074bb348ddaa031d2

  • SHA1

    3bc64f01699074912862f42d6b1d8d44524790a6

  • SHA256

    fb7257b29decf0a2438a8236599ce1f4210fe1325f390b89a5b59158ff0d3c2f

  • SHA512

    6b25665582405abd38c18b38501bc5e7e42a8fc91b5a5af327a9a375c407c11fb258d03451129e572419b545f6e2eed6d439dc5dd293cdb9a9820b3f33edb227

  • SSDEEP

    24576:wQCRRRRRRRRRRRRRRRRRRRRt6perrOUj6k7ZqC30xggliabfCqBpp2dzMhK:wQCRRRRRRRRRRRRRRRRRRRRtWk7Zx0gI

Malware Config

Targets

    • Target

      4a0fcda50ccb462074bb348ddaa031d2_JaffaCakes118

    • Size

      959KB

    • MD5

      4a0fcda50ccb462074bb348ddaa031d2

    • SHA1

      3bc64f01699074912862f42d6b1d8d44524790a6

    • SHA256

      fb7257b29decf0a2438a8236599ce1f4210fe1325f390b89a5b59158ff0d3c2f

    • SHA512

      6b25665582405abd38c18b38501bc5e7e42a8fc91b5a5af327a9a375c407c11fb258d03451129e572419b545f6e2eed6d439dc5dd293cdb9a9820b3f33edb227

    • SSDEEP

      24576:wQCRRRRRRRRRRRRRRRRRRRRt6perrOUj6k7ZqC30xggliabfCqBpp2dzMhK:wQCRRRRRRRRRRRRRRRRRRRRtWk7Zx0gI

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks