General
-
Target
caeba64e32c608801103505e9258d6a9_JaffaCakes118
-
Size
2.3MB
-
Sample
240830-qkmw5axbqq
-
MD5
caeba64e32c608801103505e9258d6a9
-
SHA1
cef553b1bfb02b63ebac0be6e6ba3cc8269ca874
-
SHA256
1761f7de2e6b4f406c6775556927bc7338f5b9100ebe42b4f24a528da0657e1d
-
SHA512
c4ac746cb70e9eeb63e8de4b1b69da5a35e763f5177f3fd0fdd716c62409b0612e34689cf1c1813432836906a44b516c8645a55e086e5ba56e10e814c45cd75a
-
SSDEEP
49152:9Seaqq2pvFzgkewQsBbT+LenHNQ/Bfd9KrSoMjEJG376SqeAJOE4IVaZC+s:9SeaovpewZbYqNQZfdwMUwzWJL4IVaZ6
Malware Config
Targets
-
-
Target
Order details 20160626122950.exe
-
Size
2.4MB
-
MD5
589fe039b5bd931e41708b69c0f76953
-
SHA1
b467a742647a2b703c0ca8afe9d7088f6dbf26dd
-
SHA256
f025f44a5c3ac7030a7be24668639025ff7b14d4db019a9b5b041ccf98eaac2e
-
SHA512
ce1fbaecee820f32ac60d05f0dceabcc33d743058618df1e6898eaf81558344e821812827ef3cc875e8234a3f5cf8a04d2b886c2c6407b850112f3b7abc0ef42
-
SSDEEP
49152:ItUMENJXfggCMoWBfzMH8fhNw9pZJf27QWqxmnMThUCWeoVoYA5+jCUq:ItsJPCMDfesNwfZJyqMGNeVPA5+jCr
Score10/10-
Banload
Banload variants download malicious files, then install and execute the files.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3