General
-
Target
9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118
-
Size
1.9MB
-
Sample
240816-lkwf2sxdpa
-
MD5
9dd6a382a4b8e3295ed977f1cc176c0a
-
SHA1
cd990deea4530f113c617b9cda0eeea7ada9170e
-
SHA256
7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964
-
SHA512
a9181c76e87101bedff793689df0d60d89e49469b0b6f768961f0185bbda82d78837db236a2a8bf9585252ee467d2081ce02769662b57d6b3386836550d5e7dc
-
SSDEEP
24576:zRgV9lX4ePztJzKe4QTnExJrP6+RtCFKOqRuGmjpMg8R5w+cTll8add1Lj6vull+:zR6bbJR7OyKiKO0VaqgY5w+eTZ3Ejmr6
Malware Config
Extracted
wshrat
http://blackhillls.ddns.net:1334
Targets
-
-
Target
9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118
-
Size
1.9MB
-
MD5
9dd6a382a4b8e3295ed977f1cc176c0a
-
SHA1
cd990deea4530f113c617b9cda0eeea7ada9170e
-
SHA256
7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964
-
SHA512
a9181c76e87101bedff793689df0d60d89e49469b0b6f768961f0185bbda82d78837db236a2a8bf9585252ee467d2081ce02769662b57d6b3386836550d5e7dc
-
SSDEEP
24576:zRgV9lX4ePztJzKe4QTnExJrP6+RtCFKOqRuGmjpMg8R5w+cTll8add1Lj6vull+:zR6bbJR7OyKiKO0VaqgY5w+eTZ3Ejmr6
Score10/10-
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
-
Matiex Main payload
-
PredatorStealer
Predator is a modular stealer written in C#.
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3