100c7b494c1aa4afd5261e148f7a4fa7580098e074bbd81b9718fa07e80a34ab | Triage

Sharing

General

Target

35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118
Size

193KB
Sample

240710-wpl4aavarf
MD5

35cf92f81285945ec23c2a4ce9f398ed
SHA1

27a56f05f99c023bdd85aae7c5cb8f7c81562356
SHA256

100c7b494c1aa4afd5261e148f7a4fa7580098e074bbd81b9718fa07e80a34ab
SHA512

b85be69650a813b5510c68f9e3cf544463950c98423548f7ea2ece0353142a2f2cc0441913c6296c653a42de7142fc93fe362ddc318a67de757335d2a5caedf8
SSDEEP

3072:hUnLIj3Bo0UjQawEnDLMcpX8yRIt2XkiE98fQnGYaSq7mtkUJdMkPkgm7Wt:hOLIjRpUMOD4cBiQzEyfaBFVVD46

Score

7^/10

persistence spyware stealer

Malware Config

Targets

- Target
  
  35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118
- Size
  
  193KB
- MD5
  
  35cf92f81285945ec23c2a4ce9f398ed
- SHA1
  
  27a56f05f99c023bdd85aae7c5cb8f7c81562356
- SHA256
  
  100c7b494c1aa4afd5261e148f7a4fa7580098e074bbd81b9718fa07e80a34ab
- SHA512
  
  b85be69650a813b5510c68f9e3cf544463950c98423548f7ea2ece0353142a2f2cc0441913c6296c653a42de7142fc93fe362ddc318a67de757335d2a5caedf8
- SSDEEP
  
  3072:hUnLIj3Bo0UjQawEnDLMcpX8yRIt2XkiE98fQnGYaSq7mtkUJdMkPkgm7Wt:hOLIjRpUMOD4cBiQzEyfaBFVVD46
Score

7^/10

persistence spyware stealer
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials in Registry

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

persistencespywarestealer

behavioral2