General

  • Target

    c44e6d079cd330004ea0c04433cf40b5_JaffaCakes118

  • Size

    927KB

  • Sample

    240827-eevt1a1flh

  • MD5

    c44e6d079cd330004ea0c04433cf40b5

  • SHA1

    6fec949d132ed7dec67d62ec29914107411ecff8

  • SHA256

    7c776d7d4daa251c4a40fb3365645eefd53d4e35fcae7cff8f69b6b68910eae8

  • SHA512

    ab1c26ac4040d6e60f889d92cd5996809d8061ed3b22dbe0724794f677d672f9896612b4c167a39bd20085e9e274b026f6cf7bbc2620ecb45170230ea97e2ac7

  • SSDEEP

    12288:RcWkKnT0xjSrqLSAsBiiMpQqY4uAqPKlwUoySwLIR2akcKJZiJb:SawjSjAsuGzcwUKv24

Malware Config

Targets

    • Target

      c44e6d079cd330004ea0c04433cf40b5_JaffaCakes118

    • Size

      927KB

    • MD5

      c44e6d079cd330004ea0c04433cf40b5

    • SHA1

      6fec949d132ed7dec67d62ec29914107411ecff8

    • SHA256

      7c776d7d4daa251c4a40fb3365645eefd53d4e35fcae7cff8f69b6b68910eae8

    • SHA512

      ab1c26ac4040d6e60f889d92cd5996809d8061ed3b22dbe0724794f677d672f9896612b4c167a39bd20085e9e274b026f6cf7bbc2620ecb45170230ea97e2ac7

    • SSDEEP

      12288:RcWkKnT0xjSrqLSAsBiiMpQqY4uAqPKlwUoySwLIR2akcKJZiJb:SawjSjAsuGzcwUKv24

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • Taurus Stealer payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Deletes itself

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks