General
-
Target
JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c
-
Size
3.6MB
-
Sample
250212-b8ywzawphl
-
MD5
ec150d3ba88b06bf7ad74d250987e26c
-
SHA1
e5b846e6edc3580c1bf99323723e9119b53f7448
-
SHA256
37d94e9e2532ecd0d7eee0e485a26d75b1f4b91c1e84ab574dbf28dbd504a5df
-
SHA512
42e535390e184c50999ccc54bc70108bed07b31f92c9d8cc28014cfab553a9b1617d30178a4196ec165b98da5244c788ceaead60ac96f4f413d86bd541381528
-
SSDEEP
98304:orkPUcIN573i9UvdXVwvGmRX2maX+lPKk41LfiQgUGL041LfiQggc:orkP3ILLi9U1VwumAulPKk41LfxgUJ4u
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe
Resource
win10v2004-20250211-en
Malware Config
Targets
-
-
Target
JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c
-
Size
3.6MB
-
MD5
ec150d3ba88b06bf7ad74d250987e26c
-
SHA1
e5b846e6edc3580c1bf99323723e9119b53f7448
-
SHA256
37d94e9e2532ecd0d7eee0e485a26d75b1f4b91c1e84ab574dbf28dbd504a5df
-
SHA512
42e535390e184c50999ccc54bc70108bed07b31f92c9d8cc28014cfab553a9b1617d30178a4196ec165b98da5244c788ceaead60ac96f4f413d86bd541381528
-
SSDEEP
98304:orkPUcIN573i9UvdXVwvGmRX2maX+lPKk41LfiQgUGL041LfiQggc:orkP3ILLi9U1VwumAulPKk41LfxgUJ4u
-
Blackshades family
-
Blackshades payload
-
Modifies firewall policy service
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Browser Extensions
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
8Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1