Extracted

Extracted

• • Target

    9e9fec3ff4dce17a719345d12573d1a0_JaffaCakes118

  • Size

    4.4MB

  • MD5

    9e9fec3ff4dce17a719345d12573d1a0

  • SHA1

    9b00aac448f2578dbe3ad1fa6ad881dce088ee4f

  • SHA256

    0b09172121446ef773c5a6b3e69054aa830d7d7f030b716674972c80717a65f8

  • SHA512

    a40ba2f5fb8ba6dcb8f2013ac2b165ecb6d5d545da85531aa4d20a64e6577e2edd68c8dfecf1b7d9133ab2b62e99cd0ef6237d10fc76509c25b164038d37b651

  • SSDEEP

    49152:BwCbthWW8/fe+sz1KDkfMSnvmc4+2ZnA2p2BUEfK5vbVQQb/ur2Z:5VQb6ZfMSvmFnBcBUE4baa/d

  Score

  10^/10

  adwindhawkeyelatentbotlokibotxtremeratcollectionevasionkeyloggerpersistenceratspywarestealertrojanupxdiscovery

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind

  • Class file contains resources related to AdWind

  • Detect XtremeRAT payload

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot

  • UAC bypass

    evasiontrojan

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Disables Task Manager via registry modification

    evasion

  • Disables use of System Restore points

    evasion

  • Modifies Installed Components in the registry

    persistence

  • Sets file execution options in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2