General
-
Target
e68955f1a523d07e92763cd62bd0969a_JaffaCakes118
-
Size
2.3MB
-
Sample
240917-ln4ltswdpg
-
MD5
e68955f1a523d07e92763cd62bd0969a
-
SHA1
5a08159b48fead8ddb120e83cbdcabaa7a506f8f
-
SHA256
a3ff31d8a37c4123f6243094e5f6dcd4fd62f65acae61a01e88a6db4b86b6262
-
SHA512
3c00c1f55dd8ece02fff11838b03fdbe1c614e0e8f5dd41c9a60b2019f618e7f29856f8f2e3aaf54c262e837c718dec9eea3586730e47ad1d507f50a61b14ad2
-
SSDEEP
49152:f1CSwAHN1WidB8g2p4FdoxchtWhLJWhFohmagu7HS0x6CaYa0j8EFlB6:fkSwAt1tpoxcPGJtHS0XaPLE56
Malware Config
Targets
-
-
Target
Order details 20160623085712.exe
-
Size
2.3MB
-
MD5
54691a71a8920435efce855786f07173
-
SHA1
68d3c8f6ded0d63375f98cf38fda97a095ce704f
-
SHA256
5e289ad1f5c7d78cbe729e4ba1ccf31deaa6db940e8f3c3c8d8d339fba873209
-
SHA512
9c85656ac38ef0506cacfdbcdab1e5d5329b2d900e97de4f3e926da537e388150d0a7f250d1d88d63ce21830aa8780dea7b79fe22fcae7a557e21972aa61eaa6
-
SSDEEP
49152:Ipgs8ABpNAcbBicSTgbDgtcBbWRzfYb/kL+agsNFCriQmew54an1Fm:IGs8AvNzXgtcpEfFFC2QVbanm
Score10/10-
Banload
Banload variants download malicious files, then install and execute the files.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3