General
-
Target
158d07c37f56412ce5f16891448e7b65_JaffaCakes118
-
Size
913KB
-
Sample
241005-ba8crawdjn
-
MD5
158d07c37f56412ce5f16891448e7b65
-
SHA1
87df1f1b527f28875ca1590543ca51ae12797b3a
-
SHA256
385f5ca91b0a230a14f5d32c79d061a3af0f5533923ad62e1982d1327ed086a4
-
SHA512
1929152e647609b9eb5cbba588163cf48388e7c3e3493d2c16038eed4b35465bd9842afa166cf73d4d6bfefe3590be622c81f55e164ca08d4f1a3d6e618e5de5
-
SSDEEP
24576:kPp9AR95SkXpgex+Bp+MN7N2y90rgF1oeQo:kPpKRSk7xup+kN21gFR
Malware Config
Extracted
xloader
2.3
b6cu
votreconseilfinancier.com
wholesaleplay.com
komfy.store
hsyunfan.com
tournamenttips.com
yourbusine.xyz
wrg-referrals.com
harmless-oily.com
whizdomtowealth.com
xusmods.com
cleanerstoday.com
finopscert.com
paerexpress.com
kankb.com
res-o.info
balonpantolon.com
freedownloadbiz.info
jeffegriffin.com
gobahis119.com
ourcalvinsarm.com
Targets
-
-
Target
158d07c37f56412ce5f16891448e7b65_JaffaCakes118
-
Size
913KB
-
MD5
158d07c37f56412ce5f16891448e7b65
-
SHA1
87df1f1b527f28875ca1590543ca51ae12797b3a
-
SHA256
385f5ca91b0a230a14f5d32c79d061a3af0f5533923ad62e1982d1327ed086a4
-
SHA512
1929152e647609b9eb5cbba588163cf48388e7c3e3493d2c16038eed4b35465bd9842afa166cf73d4d6bfefe3590be622c81f55e164ca08d4f1a3d6e618e5de5
-
SSDEEP
24576:kPp9AR95SkXpgex+Bp+MN7N2y90rgF1oeQo:kPpKRSk7xup+kN21gFR
Score10/10-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Looks for VirtualBox Guest Additions in registry
-
Xloader payload
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1