General

  • Target

    49bc9d05c7563d08947c3dabce5c4a47_JaffaCakes118

  • Size

    615KB

  • Sample

    240729-qxz28a1arr

  • MD5

    49bc9d05c7563d08947c3dabce5c4a47

  • SHA1

    86cd531196666360eff5d4fefe849b397d2d9ac9

  • SHA256

    a611726fce2fb740e19f3713cd5106554ad38323e2e07754790e2863d6121d77

  • SHA512

    11cffcda69bf4ef84a8e009931d1438200bd4a75924a72e89c71d1cc8bab6bbbd2297fff883b513ca9dfffe412444e937eac4eabdea3dcb9dc43e294df076184

  • SSDEEP

    12288:qDy9NabyzH0l9c3IorCtd7OoeoQfBkMcHB1fi37EwXxs3YNVFE:qG99Hk2rw/2kMchc3owX2+nE

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    tools12345

Targets

    • Target

      Order25JUN2020.exe

    • Size

      992KB

    • MD5

      3e03ff51909c69388af076fb28211308

    • SHA1

      ac7bf8faacdcd0c4fc5f28cbf2a61ba6c723229d

    • SHA256

      e0fe96154b8014ef6a40088e32dcf4fadfceb5de67dc82c9c04d9ff70b4c0f9a

    • SHA512

      804b5028988570b1d678586d6c0e02f3a03293e299beca8746899dfce635e0d026e172597cbde6a0a46c39e4624baf7b7b324fdd0c6f32abc21be6bb2ea15d1d

    • SSDEEP

      24576:qEcQ207R0R3FurYLelLZ6M3HJzxQ2xaxhR:q5l0V0VuJL6cxQ2Y

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks