Resubmissions

21-05-2024 12:47

240521-p1bncsed5y 10

21-05-2024 05:07

240521-fr5qeaaa87 10

General

  • Target

    6220dbc17e6c4579e23a93c103344d04_JaffaCakes118

  • Size

    1.0MB

  • Sample

    240521-fr5qeaaa87

  • MD5

    6220dbc17e6c4579e23a93c103344d04

  • SHA1

    78e9640d470745acfb2648d56e35febc30f6e684

  • SHA256

    154c3a1d1e1a4213c0dbd5d4d21f983219626f5ed2eb824f3670394e6555c162

  • SHA512

    5c4fd1ea005b890debb0d5635073a45a5ec2a640a133b53b1dac8c554765b3f96c69fbbae619a6e8c12ee46079895e42b4bf79ec8c4b0f09ee12d377441bc583

  • SSDEEP

    12288:0P+xop6MOkLy2L+J1cvFoTlGlWVp7dBhR82vkLnfOOim:jopEkO2m6vFoTEUi2vk1i

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    longwheelbase2018@yandex.com
  • Password:
    myrecords1248

Targets

    • Target

      6220dbc17e6c4579e23a93c103344d04_JaffaCakes118

    • Size

      1.0MB

    • MD5

      6220dbc17e6c4579e23a93c103344d04

    • SHA1

      78e9640d470745acfb2648d56e35febc30f6e684

    • SHA256

      154c3a1d1e1a4213c0dbd5d4d21f983219626f5ed2eb824f3670394e6555c162

    • SHA512

      5c4fd1ea005b890debb0d5635073a45a5ec2a640a133b53b1dac8c554765b3f96c69fbbae619a6e8c12ee46079895e42b4bf79ec8c4b0f09ee12d377441bc583

    • SSDEEP

      12288:0P+xop6MOkLy2L+J1cvFoTlGlWVp7dBhR82vkLnfOOim:jopEkO2m6vFoTEUi2vk1i

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks