Overview

overview

10

Static

static

3

ace7276b6d...18.exe

windows7-x64

10

ace7276b6d...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ace7276b6d15813bed302002d4dee55d_JaffaCakes118

  • Size

    3.5MB

  • Sample

    240615-e9g7dsshlm

  • MD5

    ace7276b6d15813bed302002d4dee55d

  • SHA1

    e59ec6b73b699d08cf7ca9fc54ff668c80208f90

  • SHA256

    c93d2fbcfa240a73280b3da49ca5cc0bcf6626aa9b6c399cf04d6409725da79f

  • SHA512

    8437857b6a3a38afc966ef00e242c2e018f0feac0ef375295ff0f938f1a7ceebb41146858854bb7620230b3a456291a8a9fe91b3d682c949cd5d8279a3ea319a

  • SSDEEP

    49152:MFAPGOWtoqVbb33mZHDdh/bW7I/dx5Y6Ug6ukDHvaARtyC553NAgh51i:MFAP/cbbjAj7bW7sdrNUvyARtP55BM

Score
10/10
hawkeyelokibotxtremeratcollectionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xtremerat

C2

josevaliasacve.sytes.net

Extracted

Family

lokibot

C2

http://cceibnkbenin.com/app/fonts/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      ace7276b6d15813bed302002d4dee55d_JaffaCakes118

    • Size

      3.5MB

    • MD5

      ace7276b6d15813bed302002d4dee55d

    • SHA1

      e59ec6b73b699d08cf7ca9fc54ff668c80208f90

    • SHA256

      c93d2fbcfa240a73280b3da49ca5cc0bcf6626aa9b6c399cf04d6409725da79f

    • SHA512

      8437857b6a3a38afc966ef00e242c2e018f0feac0ef375295ff0f938f1a7ceebb41146858854bb7620230b3a456291a8a9fe91b3d682c949cd5d8279a3ea319a

    • SSDEEP

      49152:MFAPGOWtoqVbb33mZHDdh/bW7I/dx5Y6Ug6ukDHvaARtyC553NAgh51i:MFAP/cbbjAj7bW7sdrNUvyARtP55BM

    Score
    10/10
    hawkeyelokibotxtremeratcollectionkeyloggerpersistenceratspywarestealertrojan

    • Detect XtremeRAT payload

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Modifies Installed Components in the registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks