General

  • Target

    JaffaCakes118_1c26c3f227035b7b7936c7872a5fc531

  • Size

    221KB

  • Sample

    250704-n1sffasn14

  • MD5

    1c26c3f227035b7b7936c7872a5fc531

  • SHA1

    e99184364502172400a696f2041e13ebba69ba0f

  • SHA256

    c5693f93fd4733cc020bdabfc8505e06a39f6f0ca3c316ef64d988ccefe0ff8c

  • SHA512

    f35c3c02d314ec3a54634953c179572272306be2b5847240cb7b0c972072846972495a53955fbf5a28e4a1010836bbd80cded7b241b38cb2cd9f0f2ee750500a

  • SSDEEP

    3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmRV:ZR5IuMQoseGk7RZBGxAycKpSPX2o

Malware Config

Targets

    • Target

      JaffaCakes118_1c26c3f227035b7b7936c7872a5fc531

    • Size

      221KB

    • MD5

      1c26c3f227035b7b7936c7872a5fc531

    • SHA1

      e99184364502172400a696f2041e13ebba69ba0f

    • SHA256

      c5693f93fd4733cc020bdabfc8505e06a39f6f0ca3c316ef64d988ccefe0ff8c

    • SHA512

      f35c3c02d314ec3a54634953c179572272306be2b5847240cb7b0c972072846972495a53955fbf5a28e4a1010836bbd80cded7b241b38cb2cd9f0f2ee750500a

    • SSDEEP

      3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmRV:ZR5IuMQoseGk7RZBGxAycKpSPX2o

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks