Extracted

Extracted

• • Target

    ace7276b6d15813bed302002d4dee55d_JaffaCakes118

  • Size

    3.5MB

  • MD5

    ace7276b6d15813bed302002d4dee55d

  • SHA1

    e59ec6b73b699d08cf7ca9fc54ff668c80208f90

  • SHA256

    c93d2fbcfa240a73280b3da49ca5cc0bcf6626aa9b6c399cf04d6409725da79f

  • SHA512

    8437857b6a3a38afc966ef00e242c2e018f0feac0ef375295ff0f938f1a7ceebb41146858854bb7620230b3a456291a8a9fe91b3d682c949cd5d8279a3ea319a

  • SSDEEP

    49152:MFAPGOWtoqVbb33mZHDdh/bW7I/dx5Y6Ug6ukDHvaARtyC553NAgh51i:MFAP/cbbjAj7bW7sdrNUvyARtP55BM

  Score

  10^/10

  hawkeyelokibotxtremeratcollectionkeyloggerpersistenceratspywarestealertrojan

  • Detect XtremeRAT payload

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Modifies Installed Components in the registry

    persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2