General

  • Target

    ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118

  • Size

    537KB

  • Sample

    240920-g7mefatbkl

  • MD5

    ed039c91cbd802016c0052cfb7c7479a

  • SHA1

    f6b0be96bc72960edac79c3d19202ead6741ea35

  • SHA256

    0dd4d407bbb948208a776f1254584bac0ae01fb724cfb7c44b5e46c8496be2ff

  • SHA512

    a79fcb9de2e4a8abc599a26f7644ac7f3c221732d722617d3f02272b42143b24d1eeb553bed5b2644e2aa6968636b1b21ae82a5435934edaa1d51ee50a86ac17

  • SSDEEP

    12288:Q77P4DWh9VWaOP6ExsZzKITASpLpQWBtD:Q778WRTMTsZLE0m

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    QGDOUOSDWX

Targets

    • Target

      ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118

    • Size

      537KB

    • MD5

      ed039c91cbd802016c0052cfb7c7479a

    • SHA1

      f6b0be96bc72960edac79c3d19202ead6741ea35

    • SHA256

      0dd4d407bbb948208a776f1254584bac0ae01fb724cfb7c44b5e46c8496be2ff

    • SHA512

      a79fcb9de2e4a8abc599a26f7644ac7f3c221732d722617d3f02272b42143b24d1eeb553bed5b2644e2aa6968636b1b21ae82a5435934edaa1d51ee50a86ac17

    • SSDEEP

      12288:Q77P4DWh9VWaOP6ExsZzKITASpLpQWBtD:Q778WRTMTsZLE0m

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • UAC bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks