General

  • Target

    65aabdf3652772fae9a09fe342f7d5b7_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240522-csjb1shd5z

  • MD5

    65aabdf3652772fae9a09fe342f7d5b7

  • SHA1

    6467d98301450db586991ca8b4a65119c163df12

  • SHA256

    f621a1b20e621f90f289b2652beb0117b965393665932a1a33b73541350ab708

  • SHA512

    3d798988fefbd8a60b1a89635d682c0b76c8b8e938aafd88e6be981f15fdb9ad166185da07474d37476526b5b58dc1de43fef0968c67db524c5857c1ca6035a0

  • SSDEEP

    24576:gyWHJopc3AfngOtY/M3LpvMyeiR9OCOjXKp7pGt4HqSxvA92nHM11TLi:gy4opOAnIkbpvMmOj+pGWK0AUGTLi

Malware Config

Targets

    • Target

      Specification and shematic Diagram.exe

    • Size

      1.4MB

    • MD5

      6d8d586a1feda0d474f0d3c6efbdd706

    • SHA1

      a66fc9adce64f992d7a0093d8e8c78b647ac2220

    • SHA256

      d69d517b51057301a5b0e44b6ecd8dceb2c6e9f6ba9db39a002d9078169d69d5

    • SHA512

      8de88c81690c38e3af5fdbecc53dc9aa042ad38f7bf60c2d7c3906e98210bf5c1a954aca861175e78fe12db4909fc16cc9f54cb33b6923c9b57975b6bf5d8829

    • SSDEEP

      24576:eUfUDtdfFQ0QPEhyxv4+gR9P+S2f8dQWdY7Dx1EAhd:eaUujPKy5q9+SvQWO7wA

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Collection

Email Collection

1
T1114

Tasks