Resubmissions

31-12-2023 09:11

231231-k5vvksadc3 6

29-12-2023 08:53

231229-ktts5sgbh8 10

General

  • Target

    AnyDesk.exe

  • Size

    5.3MB

  • Sample

    231229-ktts5sgbh8

  • MD5

    75eecc3a8b215c465f541643e9c4f484

  • SHA1

    3ad1f800b63640128bfdcc8dbee909554465ee11

  • SHA256

    ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028

  • SHA512

    b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff

  • SSDEEP

    98304:j5ObAu2pmits24nYhQCWQdaQQo/mJPv4KYZPKBhYI5RuN4OL2wIjcsJWNg3:IAnRu24nR5QcTvYdmPuWOL2TcQWe3

Malware Config

Targets

    • Target

      AnyDesk.exe

    • Size

      5.3MB

    • MD5

      75eecc3a8b215c465f541643e9c4f484

    • SHA1

      3ad1f800b63640128bfdcc8dbee909554465ee11

    • SHA256

      ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028

    • SHA512

      b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff

    • SSDEEP

      98304:j5ObAu2pmits24nYhQCWQdaQQo/mJPv4KYZPKBhYI5RuN4OL2wIjcsJWNg3:IAnRu24nR5QcTvYdmPuWOL2TcQWe3

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • UAC bypass

    • Windows security bypass

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Enumerates VirtualBox registry keys

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Disables RegEdit via registry modification

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Windows security modification

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks for any installed AV software in registry

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Sets file execution options in registry

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Modifies WinLogon for persistence

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks