General

  • Target

    34354adab5f2ecfc1964c4b5c9624353_JaffaCakes118

  • Size

    496KB

  • Sample

    241014-pfqa1svdmh

  • MD5

    34354adab5f2ecfc1964c4b5c9624353

  • SHA1

    0f4f20b27380c1ca5dfd1ab5793aec13268eb6b8

  • SHA256

    dcf41e4cfdb5e4aca47a4b5ebdb51dd4fe03ec718528afbb2cc12f8b82dbcef2

  • SHA512

    4a695ab2317ad73bc6a8fcc698566595e3f18a6cabebfa7d8a0fbfb02ce530acc507b2bc37f4025e2f4651014e7a3af41889dcb7182881945575868f4fb7fb34

  • SSDEEP

    12288:GIEmDz+i2xWEeWHiRI7JqF84lLf32cAzcLij:sA2xeFRI7StMjzmi

Malware Config

Targets

    • Target

      34354adab5f2ecfc1964c4b5c9624353_JaffaCakes118

    • Size

      496KB

    • MD5

      34354adab5f2ecfc1964c4b5c9624353

    • SHA1

      0f4f20b27380c1ca5dfd1ab5793aec13268eb6b8

    • SHA256

      dcf41e4cfdb5e4aca47a4b5ebdb51dd4fe03ec718528afbb2cc12f8b82dbcef2

    • SHA512

      4a695ab2317ad73bc6a8fcc698566595e3f18a6cabebfa7d8a0fbfb02ce530acc507b2bc37f4025e2f4651014e7a3af41889dcb7182881945575868f4fb7fb34

    • SSDEEP

      12288:GIEmDz+i2xWEeWHiRI7JqF84lLf32cAzcLij:sA2xeFRI7StMjzmi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks