Extracted

• • Target

    9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118

  • Size

    1.9MB

  • MD5

    9dd6a382a4b8e3295ed977f1cc176c0a

  • SHA1

    cd990deea4530f113c617b9cda0eeea7ada9170e

  • SHA256

    7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964

  • SHA512

    a9181c76e87101bedff793689df0d60d89e49469b0b6f768961f0185bbda82d78837db236a2a8bf9585252ee467d2081ce02769662b57d6b3386836550d5e7dc

  • SSDEEP

    24576:zRgV9lX4ePztJzKe4QTnExJrP6+RtCFKOqRuGmjpMg8R5w+cTll8add1Lj6vull+:zR6bbJR7OyKiKO0VaqgY5w+eTZ3Ejmr6

  Score

  10^/10

  matiexpredatorstealerwshratcollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojanupx

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex

  • Matiex Main payload

  • PredatorStealer

    Predator is a modular stealer written in C#.

    stealerpredatorstealer

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • WSHRAT payload

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2