General
-
Target
947a5ab25da9690a9dfe9fa185b5ebfd_JaffaCakes118
-
Size
1.6MB
-
Sample
240604-me3hvadb5z
-
MD5
947a5ab25da9690a9dfe9fa185b5ebfd
-
SHA1
1bcb34285ed34acac187f855aca82031700e436d
-
SHA256
9704d0420f573639eed3b1765ea5f212ba4c3129333f2efc167a1c0724935419
-
SHA512
cd189169a04e90a1e05152776a0b17b605adcb565cd5bb36b3a80701a1c72b275461c3ff2c25508554040688b125ca800805a11dc9ed473e66dcba0ce975973f
-
SSDEEP
49152:xkbxZfzNc08Ui4+AwVTkaXx7ghm9uivBb1DYbK9sc4:ONZfe08Ui4Ojx8hbivs+L4
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.pdf.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Invoice.pdf.scr
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Itemslists.scr
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Itemslists.scr
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
Pictures.jpg.scr
Resource
win7-20231129-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
coronavirus2020
Extracted
matiex
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
coronavirus2020 - Email To:
[email protected]
Targets
-
-
Target
Invoice.pdf.scr
-
Size
701KB
-
MD5
248a39b26266e2bae82074df4a2d915d
-
SHA1
2ade017a99ebf691e13d3eb86e814637a11a164b
-
SHA256
555028b1ee606e6d75d849940ceb77d3205fa196cf414370facdbce575f99d85
-
SHA512
0914237e12ccf8f0f4df72ae442a62c14fe5ca6895145ee93c25927cff4ca252295195627ba8fea71a3b132850c757b7c89aa7a6c0f6fa9243b8ec0fc42c389d
-
SSDEEP
12288:d6H0vOjqj2/L3bxkIHJdBIkNvPu39vPMog7v8WL5TiHKaYaF6wPTM1kLBrH9:d6UG+j2PxkIH/BTNHckoKv8+iHKIF6w/
-
Looks for VirtualBox Guest Additions in registry
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
Itemslists.scr
-
Size
488KB
-
MD5
b95e010955432d3e5a2e63d54c01e1b2
-
SHA1
9a9e7575f960483591ac327e092e1a3fb041208a
-
SHA256
1b68f5ab26d4fd7c7ca1933dd8dcc6f6f879104a072dc92f9d5917ad42a3cfd7
-
SHA512
f2fca4e5ac2469f8a4466520b154bfa3567a8e060dd14e11692ddf904cea86b7b8eee859e2b125e7234dde956d2e89b000fb7ebcb0648720b822ea4624b0a024
-
SSDEEP
12288:+g2Sh8cpTmGuh+6soYYhBHDejsgJEaTOL1p6O5n+vToVe:+gRh8xAkFBHDe7bTIW0Ve
-
Matiex Main payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Pictures.jpg.scr
-
Size
710KB
-
MD5
281198c4b0cf5277fb57896af997ada3
-
SHA1
3066e53d111ee159ece9ecd4edc977a1a38decc5
-
SHA256
6e9b80abff99f9ce1d477c30f23c7ab327c1d5fef3edda5f68497aacd35ae03b
-
SHA512
334e2cc90289c1a79fdbbd115397a1a6f888aa370f9059ef3783fe984f6e844cac1615a41932c458a2cab24e39d7a0cb81cd5cb8465e9c18056b879095f118b8
-
SSDEEP
12288:Ag77dUJtsrMEH4o8zFQdQVH82YpJCRLtlfNctwgK85V0s9vxnCxtHe6O5n+vToVe:AgOJK4o8JQeH82YpJCR7NctDKrshW0Ve
-
Looks for VirtualBox Guest Additions in registry
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-