a0f0f69231b1fbd0895c7065fccb6debeedd54fcbe512ffc7a0eee4d191f338f | Triage

Sharing

General

Target

66c90d73705f5d63a6db439e98d4b278_JaffaCakes118
Size

144KB
Sample

240729-3bkrmazgje
MD5

66c90d73705f5d63a6db439e98d4b278
SHA1

20e8768a69d2ae70fcee36d8c8a06ff668163635
SHA256

a0f0f69231b1fbd0895c7065fccb6debeedd54fcbe512ffc7a0eee4d191f338f
SHA512

89a2f0b15faef71c93f1aac37b6d5cbb6f77b25a4bb46cf99844fcb331a3e4948777b70bbddb76b67da50e0856ef9675a7f69dbff616a4c3eb7f70d6c032788e
SSDEEP

1536:wbq7elsRRQIFFdpkll9i9Y92MDnU8jji:mq7qsnFaVEaFi

Score

7^/10

discovery persistence spyware stealer

Malware Config

Targets

- Target
  
  66c90d73705f5d63a6db439e98d4b278_JaffaCakes118
- Size
  
  144KB
- MD5
  
  66c90d73705f5d63a6db439e98d4b278
- SHA1
  
  20e8768a69d2ae70fcee36d8c8a06ff668163635
- SHA256
  
  a0f0f69231b1fbd0895c7065fccb6debeedd54fcbe512ffc7a0eee4d191f338f
- SHA512
  
  89a2f0b15faef71c93f1aac37b6d5cbb6f77b25a4bb46cf99844fcb331a3e4948777b70bbddb76b67da50e0856ef9675a7f69dbff616a4c3eb7f70d6c032788e
- SSDEEP
  
  1536:wbq7elsRRQIFFdpkll9i9Y92MDnU8jji:mq7qsnFaVEaFi
Score

7^/10

discovery persistence spyware stealer
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials in Registry

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistencespywarestealer

behavioral2