General

  • Target

    947a5ab25da9690a9dfe9fa185b5ebfd_JaffaCakes118

  • Size

    1.6MB

  • Sample

    240604-me3hvadb5z

  • MD5

    947a5ab25da9690a9dfe9fa185b5ebfd

  • SHA1

    1bcb34285ed34acac187f855aca82031700e436d

  • SHA256

    9704d0420f573639eed3b1765ea5f212ba4c3129333f2efc167a1c0724935419

  • SHA512

    cd189169a04e90a1e05152776a0b17b605adcb565cd5bb36b3a80701a1c72b275461c3ff2c25508554040688b125ca800805a11dc9ed473e66dcba0ce975973f

  • SSDEEP

    49152:xkbxZfzNc08Ui4+AwVTkaXx7ghm9uivBb1DYbK9sc4:ONZfe08Ui4Ojx8hbivs+L4

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    coronavirus2020

Extracted

Family

matiex

Credentials

Targets

    • Target

      Invoice.pdf.scr

    • Size

      701KB

    • MD5

      248a39b26266e2bae82074df4a2d915d

    • SHA1

      2ade017a99ebf691e13d3eb86e814637a11a164b

    • SHA256

      555028b1ee606e6d75d849940ceb77d3205fa196cf414370facdbce575f99d85

    • SHA512

      0914237e12ccf8f0f4df72ae442a62c14fe5ca6895145ee93c25927cff4ca252295195627ba8fea71a3b132850c757b7c89aa7a6c0f6fa9243b8ec0fc42c389d

    • SSDEEP

      12288:d6H0vOjqj2/L3bxkIHJdBIkNvPu39vPMog7v8WL5TiHKaYaF6wPTM1kLBrH9:d6UG+j2PxkIH/BTNHckoKv8+iHKIF6w/

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Looks for VirtualBox Guest Additions in registry

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • Target

      Itemslists.scr

    • Size

      488KB

    • MD5

      b95e010955432d3e5a2e63d54c01e1b2

    • SHA1

      9a9e7575f960483591ac327e092e1a3fb041208a

    • SHA256

      1b68f5ab26d4fd7c7ca1933dd8dcc6f6f879104a072dc92f9d5917ad42a3cfd7

    • SHA512

      f2fca4e5ac2469f8a4466520b154bfa3567a8e060dd14e11692ddf904cea86b7b8eee859e2b125e7234dde956d2e89b000fb7ebcb0648720b822ea4624b0a024

    • SSDEEP

      12288:+g2Sh8cpTmGuh+6soYYhBHDejsgJEaTOL1p6O5n+vToVe:+gRh8xAkFBHDe7bTIW0Ve

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      Pictures.jpg.scr

    • Size

      710KB

    • MD5

      281198c4b0cf5277fb57896af997ada3

    • SHA1

      3066e53d111ee159ece9ecd4edc977a1a38decc5

    • SHA256

      6e9b80abff99f9ce1d477c30f23c7ab327c1d5fef3edda5f68497aacd35ae03b

    • SHA512

      334e2cc90289c1a79fdbbd115397a1a6f888aa370f9059ef3783fe984f6e844cac1615a41932c458a2cab24e39d7a0cb81cd5cb8465e9c18056b879095f118b8

    • SSDEEP

      12288:Ag77dUJtsrMEH4o8zFQdQVH82YpJCRLtlfNctwgK85V0s9vxnCxtHe6O5n+vToVe:AgOJK4o8JQeH82YpJCR7NctDKrshW0Ve

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Looks for VirtualBox Guest Additions in registry

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks