General

  • Target

    5a55c46f031c51c19ff3bca04096684e_JaffaCakes118

  • Size

    668KB

  • Sample

    240519-tx7nvafe3z

  • MD5

    5a55c46f031c51c19ff3bca04096684e

  • SHA1

    9dbac20857e5f72942e2d3f2bd584a0ed6620919

  • SHA256

    1ac7b754c603722fc1a4c38cf6f23bde50edb667efa0a8abfd4f9008fc40ebce

  • SHA512

    50428e9d58539e810063af1d56dd157f7442181d089c677c55e29936b8d4b98524c1f7b8f55929ffe5b11e51571cdb0d5890b663a12665030de5042bdbc410a6

  • SSDEEP

    12288:FKEimK3hyzVkEtXQJ81Z7O5OWlf6+abnmgUiGvOC2bR+7j+NYe1uQkDZ:0EimohUlAmxaOWlWIOCzS+HRD

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.com
  • Port:
    587
  • Username:
    j.nothing@asia.com
  • Password:
    malaysia25

Targets

    • Target

      5a55c46f031c51c19ff3bca04096684e_JaffaCakes118

    • Size

      668KB

    • MD5

      5a55c46f031c51c19ff3bca04096684e

    • SHA1

      9dbac20857e5f72942e2d3f2bd584a0ed6620919

    • SHA256

      1ac7b754c603722fc1a4c38cf6f23bde50edb667efa0a8abfd4f9008fc40ebce

    • SHA512

      50428e9d58539e810063af1d56dd157f7442181d089c677c55e29936b8d4b98524c1f7b8f55929ffe5b11e51571cdb0d5890b663a12665030de5042bdbc410a6

    • SSDEEP

      12288:FKEimK3hyzVkEtXQJ81Z7O5OWlf6+abnmgUiGvOC2bR+7j+NYe1uQkDZ:0EimohUlAmxaOWlWIOCzS+HRD

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks