General
-
Target
91d00c164f45e9e6bafc44817d84be8d_JaffaCakes118
-
Size
3.0MB
-
Sample
240603-pt5ymaef8y
-
MD5
91d00c164f45e9e6bafc44817d84be8d
-
SHA1
40ede9a7accfda3764f41682315586a95dd75e8c
-
SHA256
0530d87218253d7f3ddcaf0444dbcaa7b5e2e20be4c0b392e336d2646007bcf4
-
SHA512
166d55b050ad9d638ccfd38a41bf4e0ad057ff1b2c9485886f1a032f832e26837697c1f66a94e48d97cdb2bb4ecec70f2afba436ecc47cfc12d33e2d3aa4dc76
-
SSDEEP
49152:yoTYFyxIT4/TKXCEGScWZu33UdgIXfp2wSZIWbTpUfL1UU6RogdGcR+Ty/slY1Re:RInTkTKyEGS7U33A1fMFTbTpUz1UaJG2
Malware Config
Targets
-
-
Target
91d00c164f45e9e6bafc44817d84be8d_JaffaCakes118
-
Size
3.0MB
-
MD5
91d00c164f45e9e6bafc44817d84be8d
-
SHA1
40ede9a7accfda3764f41682315586a95dd75e8c
-
SHA256
0530d87218253d7f3ddcaf0444dbcaa7b5e2e20be4c0b392e336d2646007bcf4
-
SHA512
166d55b050ad9d638ccfd38a41bf4e0ad057ff1b2c9485886f1a032f832e26837697c1f66a94e48d97cdb2bb4ecec70f2afba436ecc47cfc12d33e2d3aa4dc76
-
SSDEEP
49152:yoTYFyxIT4/TKXCEGScWZu33UdgIXfp2wSZIWbTpUfL1UU6RogdGcR+Ty/slY1Re:RInTkTKyEGS7U33A1fMFTbTpUz1UaJG2
Score10/10-
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
-
Taurus Stealer payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-