Extracted

• • Target

    dde58b9dd400d67ac495756fc62e8ca2_JaffaCakes118

  • Size

    168KB

  • MD5

    dde58b9dd400d67ac495756fc62e8ca2

  • SHA1

    eec6c37a84ab65dd52e8cab2674bd965ab2cc989

  • SHA256

    18b65c8849ee072c142102c0064301a1d7c0fb79bb5cc52dc8d0cbf1433034c3

  • SHA512

    b031fa0b7267d965e6ff9d1cd02160b7a351a4de5ac872b6eb8fa630142f898cd3b21950db596dca9e37eafde3257757c17164cdc25d6e62d969d4f925845321

  • SSDEEP

    3072:TXDKfncjzOPACBs+n9POd9FKMtmQrKl0srCZ4+MohKJErKJnsaR:TS0Ks+nstmeOE4p4K5

  Score

  10^/10

  credential_accessdiscoverypersistencespywarestealer

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2