General

  • Target

    f1bb608fc3469071c9e53176a8ed4b1c_JaffaCakes118

  • Size

    4.7MB

  • Sample

    240922-lcqktssdrf

  • MD5

    f1bb608fc3469071c9e53176a8ed4b1c

  • SHA1

    ce2566f17c0122c98aeb641cee58be6aa1713bf9

  • SHA256

    954f8c802c2dff2bcd7712c2a7a89b1f566eb76d347a7f9cb3b4a2a21832dd45

  • SHA512

    d2c848e16bb5654a429918bf2ac3f4703beed3593e53be2b1e0b397fe8a1772245ff7dce7faedb9d23fe8d84d152f1aa91dcfcf5f8fd9323d7f8a9683608cf04

  • SSDEEP

    98304:Hziv6BKfqznyVk+y4LxwpYizyk1VuXNR2lD9tDoe1NGdWrzrzmYrK:mv6B7VYDk1VuTm9xoe+on

Malware Config

Targets

    • Target

      f1bb608fc3469071c9e53176a8ed4b1c_JaffaCakes118

    • Size

      4.7MB

    • MD5

      f1bb608fc3469071c9e53176a8ed4b1c

    • SHA1

      ce2566f17c0122c98aeb641cee58be6aa1713bf9

    • SHA256

      954f8c802c2dff2bcd7712c2a7a89b1f566eb76d347a7f9cb3b4a2a21832dd45

    • SHA512

      d2c848e16bb5654a429918bf2ac3f4703beed3593e53be2b1e0b397fe8a1772245ff7dce7faedb9d23fe8d84d152f1aa91dcfcf5f8fd9323d7f8a9683608cf04

    • SSDEEP

      98304:Hziv6BKfqznyVk+y4LxwpYizyk1VuXNR2lD9tDoe1NGdWrzrzmYrK:mv6B7VYDk1VuTm9xoe+on

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • Taurus Stealer payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks