General
-
Target
49bc9d05c7563d08947c3dabce5c4a47_JaffaCakes118
-
Size
615KB
-
Sample
240729-qxz28a1arr
-
MD5
49bc9d05c7563d08947c3dabce5c4a47
-
SHA1
86cd531196666360eff5d4fefe849b397d2d9ac9
-
SHA256
a611726fce2fb740e19f3713cd5106554ad38323e2e07754790e2863d6121d77
-
SHA512
11cffcda69bf4ef84a8e009931d1438200bd4a75924a72e89c71d1cc8bab6bbbd2297fff883b513ca9dfffe412444e937eac4eabdea3dcb9dc43e294df076184
-
SSDEEP
12288:qDy9NabyzH0l9c3IorCtd7OoeoQfBkMcHB1fi37EwXxs3YNVFE:qG99Hk2rw/2kMchc3owX2+nE
Static task
static1
Behavioral task
behavioral1
Sample
Order25JUN2020.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Order25JUN2020.exe
Resource
win10v2004-20240729-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
tools12345
Targets
-
-
Target
Order25JUN2020.exe
-
Size
992KB
-
MD5
3e03ff51909c69388af076fb28211308
-
SHA1
ac7bf8faacdcd0c4fc5f28cbf2a61ba6c723229d
-
SHA256
e0fe96154b8014ef6a40088e32dcf4fadfceb5de67dc82c9c04d9ff70b4c0f9a
-
SHA512
804b5028988570b1d678586d6c0e02f3a03293e299beca8746899dfce635e0d026e172597cbde6a0a46c39e4624baf7b7b324fdd0c6f32abc21be6bb2ea15d1d
-
SSDEEP
24576:qEcQ207R0R3FurYLelLZ6M3HJzxQ2xaxhR:q5l0V0VuJL6cxQ2Y
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-