Resubmissions

26-02-2024 18:15

240226-wv4khsdb8t 3

26-02-2024 18:01

240226-wlxevada2t 6

26-02-2024 17:58

240226-wj98xscc64 6

26-02-2024 17:47

240226-wc9zkscb27 7

26-02-2024 17:30

240226-v3fyrabg35 10

26-02-2024 17:25

240226-vzrababf39 8

26-02-2024 17:07

240226-vndvvabc96 7

26-02-2024 16:42

240226-t7vf9sbd4s 10

General

  • Target

    gato.jpeg

  • Size

    54KB

  • Sample

    240226-t7vf9sbd4s

  • MD5

    cd869039e351b02dde534759ae627caa

  • SHA1

    8c227c8532a3106c82009117500a53fceb8adcda

  • SHA256

    8fb5890f75d501936e90d1891cd97c8b23396525842fd741f9b9a441405cd01f

  • SHA512

    81a5b30497bb3cf7b6257728ef5f04b2e45d1ec23e159035210292b13514a82313e19c68878f50bd10a9382ed5b6a83c6356d2d2c0607a79ec2e8afbc9bc3fc0

  • SSDEEP

    1536:g6taN+v7AZswe0Q4qKjLkvqwWsXcWQeldDrVh5Bh0K4:QEAneazLaMWQWdDJh5vI

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://93.115.82.248/?0=1&1=1&2=9&3=i&4=9200&5=1&6=1111&7=ukjehallyw

Targets

    • Target

      gato.jpeg

    • Size

      54KB

    • MD5

      cd869039e351b02dde534759ae627caa

    • SHA1

      8c227c8532a3106c82009117500a53fceb8adcda

    • SHA256

      8fb5890f75d501936e90d1891cd97c8b23396525842fd741f9b9a441405cd01f

    • SHA512

      81a5b30497bb3cf7b6257728ef5f04b2e45d1ec23e159035210292b13514a82313e19c68878f50bd10a9382ed5b6a83c6356d2d2c0607a79ec2e8afbc9bc3fc0

    • SSDEEP

      1536:g6taN+v7AZswe0Q4qKjLkvqwWsXcWQeldDrVh5Bh0K4:QEAneazLaMWQWdDJh5vI

    • Modifies WinLogon for persistence

    • UAC bypass

    • Windows security bypass

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks