Overview

overview

10

Static

static

3

b1fde53efb...18.exe

windows7-x64

10

b1fde53efb...18.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    b1fde53efb77c5feefe3aec21a517997_JaffaCakes118

  • Size

    747KB

  • Sample

    240821-ecdgyaycrg

  • MD5

    b1fde53efb77c5feefe3aec21a517997

  • SHA1

    2ed24d838e52709347928299a429b82ac98dadde

  • SHA256

    bbe8e9d853a8605dfc5eb7054b28c05fdece4e8378b59ec70a469d31145c6af5

  • SHA512

    84cbb42ed4aacbc5a674e5c1ad3dbf59fb1c10e70c7904d96e22428ae1bc7df256aa6a2331add625f2c9680506a0786d075711e1e4c8739831000595af31a5ef

  • SSDEEP

    12288:QRi8r7Yz4td/zbYPqdGnTSolJYlNj0EC9iPF+7dJMitxcV:QRi8rM8dfYPqdGnTn/4TiCF+7bMivcV

Score
10/10
credential_accessdiscoveryspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    killrecycler.do.am
  • Port:
    21
  • Username:
    8killrecycler
  • Password:
    43uyu_54y

Targets

    • Target

      b1fde53efb77c5feefe3aec21a517997_JaffaCakes118

    • Size

      747KB

    • MD5

      b1fde53efb77c5feefe3aec21a517997

    • SHA1

      2ed24d838e52709347928299a429b82ac98dadde

    • SHA256

      bbe8e9d853a8605dfc5eb7054b28c05fdece4e8378b59ec70a469d31145c6af5

    • SHA512

      84cbb42ed4aacbc5a674e5c1ad3dbf59fb1c10e70c7904d96e22428ae1bc7df256aa6a2331add625f2c9680506a0786d075711e1e4c8739831000595af31a5ef

    • SSDEEP

      12288:QRi8r7Yz4td/zbYPqdGnTSolJYlNj0EC9iPF+7dJMitxcV:QRi8rM8dfYPqdGnTn/4TiCF+7bMivcV

    Score
    10/10
    credential_accessdiscoveryspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks