General

  • Target

    JaffaCakes118_ff782b59442e156d78bef67b80b90efa

  • Size

    1.7MB

  • Sample

    250216-e56dessmbn

  • MD5

    ff782b59442e156d78bef67b80b90efa

  • SHA1

    316c5eb33272afee07fe25ab8958de1d381d6380

  • SHA256

    83425ccfaa33acfceb809ee0913b1d9c974f7bb8acc961ac771fdbf07891cfa4

  • SHA512

    04937955567e169e97bc809cf88463a8c55b3ed70f7635050b2ce3e5baba4cfd7855e38bf84263cd2c74b8bc3442ff3c44b22faffc15b4f7d55dad831c10f06a

  • SSDEEP

    49152:UiNFSTDoGAcq489t9vk035ozlFe/Kk+LSHLx7TNyuA:vUm4u5k03mnOxxPdA

Malware Config

Targets

    • Target

      JaffaCakes118_ff782b59442e156d78bef67b80b90efa

    • Size

      1.7MB

    • MD5

      ff782b59442e156d78bef67b80b90efa

    • SHA1

      316c5eb33272afee07fe25ab8958de1d381d6380

    • SHA256

      83425ccfaa33acfceb809ee0913b1d9c974f7bb8acc961ac771fdbf07891cfa4

    • SHA512

      04937955567e169e97bc809cf88463a8c55b3ed70f7635050b2ce3e5baba4cfd7855e38bf84263cd2c74b8bc3442ff3c44b22faffc15b4f7d55dad831c10f06a

    • SSDEEP

      49152:UiNFSTDoGAcq489t9vk035ozlFe/Kk+LSHLx7TNyuA:vUm4u5k03mnOxxPdA

    • Blackshades

      Blackshades is a remote access trojan with various capabilities.

    • Blackshades family

    • Blackshades payload

    • Modifies firewall policy service

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks