49bee8c31a635acd64ea4a99568e4150932d6194dd09edb14dcc0b01992e2b6c | Triage

Sharing

General

Target

3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118
Size

195KB
Sample

240709-xcvekayfml
MD5

3187b6bf8b462df59bb183a31d86c97e
SHA1

d8f5342e1aed3a75a5b678b30423372f8e063fe6
SHA256

49bee8c31a635acd64ea4a99568e4150932d6194dd09edb14dcc0b01992e2b6c
SHA512

bdb5fded754e1241f650543b0cabf5e4fadebe1df8dd3b35dc65d1d6f393068e8794ac457fa38e284a24f8b0b37befb24af6000326b13ebb09c2bdc42aa67003
SSDEEP

3072:C3MGtqXWAxCGYAGq2D8HZ8TTwtR++xb3FB3fSmkQH5xWk03KjZn:YtqmA4dD8ZsTy++xJJfSmkuJ0OZn

Score

7^/10

persistence spyware stealer

Malware Config

Targets

- Target
  
  3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118
- Size
  
  195KB
- MD5
  
  3187b6bf8b462df59bb183a31d86c97e
- SHA1
  
  d8f5342e1aed3a75a5b678b30423372f8e063fe6
- SHA256
  
  49bee8c31a635acd64ea4a99568e4150932d6194dd09edb14dcc0b01992e2b6c
- SHA512
  
  bdb5fded754e1241f650543b0cabf5e4fadebe1df8dd3b35dc65d1d6f393068e8794ac457fa38e284a24f8b0b37befb24af6000326b13ebb09c2bdc42aa67003
- SSDEEP
  
  3072:C3MGtqXWAxCGYAGq2D8HZ8TTwtR++xb3FB3fSmkQH5xWk03KjZn:YtqmA4dD8ZsTy++xJJfSmkuJ0OZn
Score

7^/10

persistence spyware stealer
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials in Registry

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

persistencespywarestealer

behavioral2