General

  • Target

    84c300482eb9f553b70f828b382a8c11_JaffaCakes118

  • Size

    7.0MB

  • Sample

    241102-dfswcszlhl

  • MD5

    84c300482eb9f553b70f828b382a8c11

  • SHA1

    a811ddf079f520f450cb9c6d18b03acdbc01087e

  • SHA256

    02c5443aa1c91d0ef0a98ac6fb430f9c8b506a8fcf4f267cb7ef14599965c8f7

  • SHA512

    e8d811a71a42fdf0bc4bf7075dc36eba1c5ccbf585c6291b1eb9e6a1a8e837959cf397975492e90d58ce3bc36760dec7a1ca27efdbe41178d29b33d0ea821762

  • SSDEEP

    196608:Ie9FwNiOTh3MZTTrULbXV2xs5H1sAyy9cdz0rwzhUKHPD8:hUiO2lUfVAwVsveKVzhUKv

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.drivehq.com
  • Port:
    21
  • Username:
    voluminousk

Targets

    • Target

      84c300482eb9f553b70f828b382a8c11_JaffaCakes118

    • Size

      7.0MB

    • MD5

      84c300482eb9f553b70f828b382a8c11

    • SHA1

      a811ddf079f520f450cb9c6d18b03acdbc01087e

    • SHA256

      02c5443aa1c91d0ef0a98ac6fb430f9c8b506a8fcf4f267cb7ef14599965c8f7

    • SHA512

      e8d811a71a42fdf0bc4bf7075dc36eba1c5ccbf585c6291b1eb9e6a1a8e837959cf397975492e90d58ce3bc36760dec7a1ca27efdbe41178d29b33d0ea821762

    • SSDEEP

      196608:Ie9FwNiOTh3MZTTrULbXV2xs5H1sAyy9cdz0rwzhUKHPD8:hUiO2lUfVAwVsveKVzhUKv

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks