General
-
Target
c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118
-
Size
4.5MB
-
Sample
240827-waltzasfjc
-
MD5
c56ba0ec71222ed7354dfaafec5cf766
-
SHA1
4922a8e60d98cb595d7e854355e9e78bb1894a61
-
SHA256
7115ea1ab97a7187b2a1bb6936fe3df44bc754ec06f70c9f880d9787e605ea60
-
SHA512
97492c5e70d7dc989e3f3a1e04a2e4afc23c5a69fbbfbb129cd2f830545fcb3bdbc5ecdb94adbb102c910d40e58564297311690a66fd945b0a497f1c02ce3d5e
-
SSDEEP
98304:Kke5WPFJWlki31xdKi+OTq9RvXODruQkckcE0VxTEJxvwPtQAfk6RwBvL0X:KWPFJob31gpeXuQkcNzVNUOHLwBj0X
Malware Config
Targets
-
-
Target
c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118
-
Size
4.5MB
-
MD5
c56ba0ec71222ed7354dfaafec5cf766
-
SHA1
4922a8e60d98cb595d7e854355e9e78bb1894a61
-
SHA256
7115ea1ab97a7187b2a1bb6936fe3df44bc754ec06f70c9f880d9787e605ea60
-
SHA512
97492c5e70d7dc989e3f3a1e04a2e4afc23c5a69fbbfbb129cd2f830545fcb3bdbc5ecdb94adbb102c910d40e58564297311690a66fd945b0a497f1c02ce3d5e
-
SSDEEP
98304:Kke5WPFJWlki31xdKi+OTq9RvXODruQkckcE0VxTEJxvwPtQAfk6RwBvL0X:KWPFJob31gpeXuQkcNzVNUOHLwBj0X
Score10/10-
Banload
Banload variants download malicious files, then install and execute the files.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3