General

  • Target

    4b18775ec7b1d8359e7aa9c72d6cec2a_JaffaCakes118

  • Size

    720KB

  • Sample

    240516-pr8lqscg3w

  • MD5

    4b18775ec7b1d8359e7aa9c72d6cec2a

  • SHA1

    7e45e41a8725842b1ca5a69910acf6cf344b9a3f

  • SHA256

    3fceddef72a3dc094c668e1abe7de842afe815d4f56f1cc530e4165ad32d3484

  • SHA512

    7333c987a90e7a99498099499a2e02e3690d29e683ae5425daef83e458eb00fc8f5a3c23c7cf4ab10ea768358116711785f0685283795a8a75cc9b55a9396269

  • SSDEEP

    12288:nrfv5g+OFLHuqgRpIgFHjnzk8/WcmQz0af2GbKepaRBwkYo8KjkZahMeJjdIbDuo:rfve+OFLHuHRpIEHjo8uiZfHKbRiJo83

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bobrossismynanm8

Targets

    • Target

      4b18775ec7b1d8359e7aa9c72d6cec2a_JaffaCakes118

    • Size

      720KB

    • MD5

      4b18775ec7b1d8359e7aa9c72d6cec2a

    • SHA1

      7e45e41a8725842b1ca5a69910acf6cf344b9a3f

    • SHA256

      3fceddef72a3dc094c668e1abe7de842afe815d4f56f1cc530e4165ad32d3484

    • SHA512

      7333c987a90e7a99498099499a2e02e3690d29e683ae5425daef83e458eb00fc8f5a3c23c7cf4ab10ea768358116711785f0685283795a8a75cc9b55a9396269

    • SSDEEP

      12288:nrfv5g+OFLHuqgRpIgFHjnzk8/WcmQz0af2GbKepaRBwkYo8KjkZahMeJjdIbDuo:rfve+OFLHuHRpIEHjo8uiZfHKbRiJo83

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Collection

Email Collection

1
T1114

Tasks