General
-
Target
df0fe6d7fb081b96253d736e786c51b6_JaffaCakes118
-
Size
2.3MB
-
Sample
240913-217f9avbrd
-
MD5
df0fe6d7fb081b96253d736e786c51b6
-
SHA1
7ef67c73d9be58c4bd70acfd03c2ceda8b86af73
-
SHA256
92343dde0476af78ae32d87e36ef3584ce8d67b39bd23d61fb22537d05c3ed16
-
SHA512
a2b7a90716bc9bb376243027067fb1e1116ac788096a56ab2acbe12567b684eb878af7ca833224fd8dcb65d6f8e31473fde34b9737b749c8a930dfcac420a65b
-
SSDEEP
49152:F1CSwAHN1WidB8g2p4FdoxchtWhLJWhFohmagu7HS0x6CaYa0j8EvlBf:FkSwAt1tpoxcPGJtHS0XaPLEHf
Malware Config
Targets
-
-
Target
Order details 20160623085116.exe
-
Size
2.3MB
-
MD5
fd1f8a7fc1815eb2ce979de3f77903ad
-
SHA1
d3d7871f3bfea7fca9241a8a4ccc676f187092fe
-
SHA256
b4c06f502c4be88cbf721c1717fd05bcf7e73ef8b5941b781d1d3c5239705b02
-
SHA512
761935b03518eeba71448e7684f566cc675326579358e01d82bc9d0075d828220b46c44780cc540a5b64e6176e5d1db895c8d80c24a3c9d0c0b343b360cd8055
-
SSDEEP
49152:Ipgs8ABpNAcbBicSTgbDgtcBbWRzfYb/kL+agsNFCriQmew54a11FF:IGs8AvNzXgtcpEfFFC2QVbalF
Score10/10-
Banload
Banload variants download malicious files, then install and execute the files.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3