Resubmissions
26-02-2024 18:15
240226-wv4khsdb8t 326-02-2024 18:01
240226-wlxevada2t 626-02-2024 17:58
240226-wj98xscc64 626-02-2024 17:47
240226-wc9zkscb27 726-02-2024 17:30
240226-v3fyrabg35 1026-02-2024 17:25
240226-vzrababf39 826-02-2024 17:07
240226-vndvvabc96 726-02-2024 16:42
240226-t7vf9sbd4s 10General
-
Target
gato.jpeg
-
Size
54KB
-
Sample
240226-t7vf9sbd4s
-
MD5
cd869039e351b02dde534759ae627caa
-
SHA1
8c227c8532a3106c82009117500a53fceb8adcda
-
SHA256
8fb5890f75d501936e90d1891cd97c8b23396525842fd741f9b9a441405cd01f
-
SHA512
81a5b30497bb3cf7b6257728ef5f04b2e45d1ec23e159035210292b13514a82313e19c68878f50bd10a9382ed5b6a83c6356d2d2c0607a79ec2e8afbc9bc3fc0
-
SSDEEP
1536:g6taN+v7AZswe0Q4qKjLkvqwWsXcWQeldDrVh5Bh0K4:QEAneazLaMWQWdDJh5vI
Static task
static1
Behavioral task
behavioral1
Sample
gato.jpg
Resource
win10-20240221-en
Malware Config
Extracted
http://93.115.82.248/?0=1&1=1&2=9&3=i&4=9200&5=1&6=1111&7=ukjehallyw
Targets
-
-
Target
gato.jpeg
-
Size
54KB
-
MD5
cd869039e351b02dde534759ae627caa
-
SHA1
8c227c8532a3106c82009117500a53fceb8adcda
-
SHA256
8fb5890f75d501936e90d1891cd97c8b23396525842fd741f9b9a441405cd01f
-
SHA512
81a5b30497bb3cf7b6257728ef5f04b2e45d1ec23e159035210292b13514a82313e19c68878f50bd10a9382ed5b6a83c6356d2d2c0607a79ec2e8afbc9bc3fc0
-
SSDEEP
1536:g6taN+v7AZswe0Q4qKjLkvqwWsXcWQeldDrVh5Bh0K4:QEAneazLaMWQWdDJh5vI
Score10/10-
Modifies WinLogon for persistence
-
Blocklisted process makes network request
-
Disables RegEdit via registry modification
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Pre-OS Boot
1Bootkit
1