b5c72c6e9e8d3477dbd97fee514348dc61cc9aad832d33dacb52f1fc86c48768 | Triage

Sharing

General

Target

b0bcf19827ffbdf58347f12878707bff_JaffaCakes118
Size

342KB
Sample

241129-mtqgts1lhv
MD5

b0bcf19827ffbdf58347f12878707bff
SHA1

1113438386f4d9049e6678bd176fd6c7119658f3
SHA256

b5c72c6e9e8d3477dbd97fee514348dc61cc9aad832d33dacb52f1fc86c48768
SHA512

c53c1489f62f6ecd11ea66318760da618fdb4d6c972dbc98347e35de30885955c36a031d6ddf0c6e39de6567c85f65b46299bbee30a81bae0810396bd80e88ec
SSDEEP

6144:J/x73bXTzTvxGz6bnIKoYVCxeVnDYPrcDhMrCPaiUjasX:9v+YVCc+aMuRsX

Score

10^/10

credential_access evasion persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
username

Targets

- Target
  
  b0bcf19827ffbdf58347f12878707bff_JaffaCakes118
- Size
  
  342KB
- MD5
  
  b0bcf19827ffbdf58347f12878707bff
- SHA1
  
  1113438386f4d9049e6678bd176fd6c7119658f3
- SHA256
  
  b5c72c6e9e8d3477dbd97fee514348dc61cc9aad832d33dacb52f1fc86c48768
- SHA512
  
  c53c1489f62f6ecd11ea66318760da618fdb4d6c972dbc98347e35de30885955c36a031d6ddf0c6e39de6567c85f65b46299bbee30a81bae0810396bd80e88ec
- SSDEEP
  
  6144:J/x73bXTzTvxGz6bnIKoYVCxeVnDYPrcDhMrCPaiUjasX:9v+YVCc+aMuRsX
Score

10^/10

credential_access evasion persistence spyware stealer
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Deletes itself
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

credential_accessevasionpersistencespywarestealer

behavioral2

credential_accessevasionpersistencespywarestealer