Overview

overview

8

Static

static

3

fb71a9372f...18.exe

windows7-x64

8

fb71a9372f...18.exe

windows10-2004-x64

8

$_2_/Ad.exe

windows7-x64

1

$_2_/Ad.exe

windows10-2004-x64

1

$_2_/Downl...PS.dll

windows7-x64

1

$_2_/Downl...PS.dll

windows10-2004-x64

1

$_2_/QQVip...er.exe

windows7-x64

8

$_2_/QQVip...er.exe

windows10-2004-x64

8

$_2_/TXSSOSetup.exe

windows7-x64

7

$_2_/TXSSOSetup.exe

windows10-2004-x64

7

$_2_/Tencentdl.exe

windows7-x64

1

$_2_/Tencentdl.exe

windows10-2004-x64

1

$_2_/bugreport.exe

windows7-x64

1

$_2_/bugreport.exe

windows10-2004-x64

$_2_/curllib.dll

windows7-x64

3

$_2_/curllib.dll

windows10-2004-x64

3

$_2_/dlcore.dll

windows7-x64

1

$_2_/dlcore.dll

windows10-2004-x64

1

$_2_/extract.dll

windows7-x64

1

$_2_/extract.dll

windows10-2004-x64

1

$_2_/tinyxml.dll

windows7-x64

3

$_2_/tinyxml.dll

windows10-2004-x64

3

$_2_/tnproxy.dll

windows7-x64

1

$_2_/tnproxy.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fb71a9372f7195356b87f195e68b534a_JaffaCakes118

  • Size

    3.6MB

  • Sample

    240419-3war6aag37

  • MD5

    fb71a9372f7195356b87f195e68b534a

  • SHA1

    08f7a9fa06a9cde87f38dff3aa8b57efed5a1099

  • SHA256

    051a80a2a82dd18faa9d0738c5403f3f0dbd0926e0525a445596cc6ef2d7d754

  • SHA512

    906e0b239b6de7a3f7ef9118355793dd342853501109b9328ccb284f9142c69f4081671795b3b80eff894b550b26e6bb6a0731134bbcfb0cc9d9a75d78ea36ce

  • SSDEEP

    98304:KcXMbp8CtkFM8zRi8FSP4xnKjhFyikOfDiV7mR/eht2:RcTkeWim045ygiFfDK2/Et2

Score
8/10
bootkitevasionpersistence

Malware Config

Targets

    • Target

      fb71a9372f7195356b87f195e68b534a_JaffaCakes118

    • Size

      3.6MB

    • MD5

      fb71a9372f7195356b87f195e68b534a

    • SHA1

      08f7a9fa06a9cde87f38dff3aa8b57efed5a1099

    • SHA256

      051a80a2a82dd18faa9d0738c5403f3f0dbd0926e0525a445596cc6ef2d7d754

    • SHA512

      906e0b239b6de7a3f7ef9118355793dd342853501109b9328ccb284f9142c69f4081671795b3b80eff894b550b26e6bb6a0731134bbcfb0cc9d9a75d78ea36ce

    • SSDEEP

      98304:KcXMbp8CtkFM8zRi8FSP4xnKjhFyikOfDiV7mR/eht2:RcTkeWim045ygiFfDK2/Et2

    Score
    8/10
    bootkitevasionpersistence

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

    • Target

      $_2_/Ad.exe

    • Size

      24KB

    • MD5

      218a0f93c33d9da19beb9396e251ea58

    • SHA1

      ba28b69133ee9e79dca3b0d478f1777af1a900f3

    • SHA256

      7e6264a4d4e30a845dfff70491970a697c275d05bcd572bf484d3b821a8a95f5

    • SHA512

      21b4c505f8c7b59b64ecb76551f051d035cb26af5d76c3818a5d00acc849686381b08bbba93fcd86353bb0c83a2a549ef7c7247a88c679c57c2e1499c24df386

    • SSDEEP

      768:yiJRKDbEOKtIhxBKRGiDli/tmgkHO+QD:yiJRxOKtIhxR+lEmdO+Q

    Score
    1/10
    behavioral3behavioral4

    • Target

      $_2_/DownloadProxyPS.dll

    • Size

      67KB

    • MD5

      9c629978377e3edc8d0b001115f93eec

    • SHA1

      c563aad2e04b0e69b3ceeb722f7f7e85dd3cb410

    • SHA256

      1ce25ffc0d8671f5c44573ec190533860cc3bec823d2dcfaf4548a0bd76add50

    • SHA512

      34cb1eafd31385094bc0f2f03da80fb94662a7a966dff7f9be974b5e850e2c588e82546edfaf244b7f20046fd63421495b7a429d50184d074b83208d86dcd619

    • SSDEEP

      768:A1fVSO9ZV/algl30jcuPv114iNpdVtAcpg5n:OAOkeEcuXVN9tVpgF

    Score
    1/10
    behavioral5behavioral6

    • Target

      $_2_/QQVipDownloader.exe

    • Size

      1023KB

    • MD5

      65dbfaf76be7baf0369e1a202f8499cc

    • SHA1

      542dca77ea0f20b91b8ebac80e326686dd507c55

    • SHA256

      e997d69e9649210f79167f2a8501196ac2a62a23944b5d0d39b1e9bd7e3b774f

    • SHA512

      0880bc2a3182708e3ac620f4028a85eb1683bda96f0246ea5751c9ad20c3ea2c1e9879751b4f57fea0ee16b41347a93be88ef0f87661583971204179b917b608

    • SSDEEP

      12288:pDfAIZBLC7KNkg2BirPUTYLzD3zk2U5LZE+KGngCRyEi1QOCXSSY9p8s96+9AUys:pDfAIZBZkg2B4UsKKLEiGi9X0cAUSK6

    Score
    8/10
    bootkitevasionpersistence

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral7behavioral8

    • Target

      $_2_/TXSSOSetup.exe

    • Size

      1.2MB

    • MD5

      e9756141d085d3b332014d7f9b184480

    • SHA1

      7527574eb3b415744815ec4c51ae423ee58494e7

    • SHA256

      8aa5ad11255f7526bd924a14b2ad0f4511ec2abf9f80abc5d2ac3d147490088a

    • SHA512

      20f6c37ca83d4fe3cc34fe0018d184447ec2c2c990930601eeb9e5f29e8da4cc1b172894deada85d0bdcbb7bb09e907a757aa2932aaaea46fa5ed19444a0a439

    • SSDEEP

      24576:PBKYYrcWwGWZBxY/7jeN9B8dz8w47dywfUKIKvyqNJvbqaEaJe:2oWwG+Bx28odYy4UKl0dge

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral10behavioral9

    • Target

      $_2_/Tencentdl.exe

    • Size

      915KB

    • MD5

      7e8dfc56349967d134ccdc9de4cd772f

    • SHA1

      80f9636e5f2b7509d50e3e865b5c0d921348fff0

    • SHA256

      fcaf44a74ec98e9780ddded45729dab1dc292c3a1bfed1c1a7ce56f1fed9b604

    • SHA512

      b25fa86519cc23157f253ab816e8f8dfab54c5eddb72ec2092ece5b33767131f2ebdb4c791a2e28688c3bbbddc0db1e34d046f309592f95bf4665f5f12617010

    • SSDEEP

      12288:4QcPCATq82+oqwBPeOzXcYdQ05l2NAmTq5RAPeK17b163XfP6P:4QcToqsiYNl2NApvB0n163XfPo

    Score
    1/10
    behavioral11behavioral12

    • Target

      $_2_/bugreport.exe

    • Size

      274KB

    • MD5

      cae77f70a1dbc517f1281403f0a68c1e

    • SHA1

      96fdd9317aa6236ccd396dd469c46eda564326f2

    • SHA256

      18a53e047d0536e49385177d00d526f252de98d5d04e58e057c7684f820788c2

    • SHA512

      b33c4e3de966847e280fd827c39c0dfad1e65a7c24f28b7572eb35aca0c36fc0544eab3e34d5b80613543bf7c644a1b41dc3d7886e1b4923a93077ccadb2799c

    • SSDEEP

      6144:mtpUeG1HPZRRYBmH43UDCVyTBqFtfGJOENMcDN7Y7t7q9:mfGfYBmHEaCVyTsFkTMcp7YJe9

    Score
    1/10
    behavioral13behavioral14

    • Target

      $_2_/curllib.dll

    • Size

      228KB

    • MD5

      45882035d3e92e52b511c497432c0f80

    • SHA1

      beebd03fafda345f2068c8892272d66bf7726ac2

    • SHA256

      f79808272d03aa7a2e904438f97a63dee8d0d62fd4ed77709eb80ca3bdba6510

    • SHA512

      4a00a0d8d0dd4fa3774722c5dad647e86127f1a1abe83df7b80388c6ef1aa69089402fc12a06a3fc4f800335db5ca99345b8d75b584a2b467f9a43254c303817

    • SSDEEP

      6144:8AGm5prJ+hxfZZmfrnY4LwKFWj6sd+xAI9:8AGm5/++rn3W+F

    Score
    3/10
    behavioral15behavioral16

    • Target

      $_2_/dlcore.dll

    • Size

      1.9MB

    • MD5

      0ed92ed82d4d1b22fe231c177b45eac5

    • SHA1

      d858a692e6c0a364137c4d0190816809b8c37f7f

    • SHA256

      ad1425b8497cf8b5891adbd51371c3ceb0f977e6e417b6c3f3262e6b6f01e2fc

    • SHA512

      8d7d60e84314ba2b5b1a9248e6ddf1f2723844ebde1953343ee5f825f1d3e30a5a9a504d028c9311f9aa82c17929c4927769b7ae6df986003b2c1aaef0be3aa1

    • SSDEEP

      49152:JSGO70WM3G4HmQohT02dkqQsEhAtyhBFVTCzNG6TxD3mOXA:cf0WKGIQ0+QsDCO

    Score
    1/10
    behavioral17behavioral18

    • Target

      $_2_/extract.dll

    • Size

      358KB

    • MD5

      9da51d4506bd094fbfc7d337338fc872

    • SHA1

      1b5799ef6b66ac9471842f17570813e7c42cdb27

    • SHA256

      f2181e41d5950fcb762edf6b9cbb665e94004a7f1102b606c331690e6069a501

    • SHA512

      07dfae7c04ea2815ed78af9e29313050338bfec5a8e08a8846c0f846d6d27b79b7bfe2c3b4dbf3758aa22f88342aadf5513dcbcd6a718b9dd939996d6ce9e044

    • SSDEEP

      6144:xR1C/1D8BnHgvH/5udZip+IUOrJTbSfvyux0egTK3:xDC/1D8BH0HBvUIUOrux0ege3

    Score
    1/10
    behavioral19behavioral20

    • Target

      $_2_/tinyxml.dll

    • Size

      99KB

    • MD5

      e42fb6e8b70cef85bfaae7cd0e716e21

    • SHA1

      463a423283b5c22056cca0c2bcad1969194e69c2

    • SHA256

      0460e9e03edf807453e66f0332c84a4f8ea8ace16e25b8c2e62abe12a6b7eebc

    • SHA512

      c30105e53c89756eab9d7c92d35e9934ece9ac9ecdec92cb56e63ffdf2b1ec3294dedc4942fd0dfae16367968f697786179534b9b0de7f2962e0c95a406a7056

    • SSDEEP

      1536:R/ehBLJag+yYfuwjLPIGsvNY96EgQUx8J4LoNB4e0ee:REL4hfuwjLPIZNY96EgQU2fNB4eE

    Score
    3/10
    behavioral21behavioral22

    • Target

      $_2_/tnproxy.dll

    • Size

      707KB

    • MD5

      3bad47f1e11387358ba090fbc2682713

    • SHA1

      e7e7843d3fd4f45fdb65ff40936bc28a10651589

    • SHA256

      26c906e83d280f03e021a5730908cc40551f8ef98e048b9ae001354ec83ae736

    • SHA512

      c00f7079746cc0ab961680ca784cac036ad60c2883e032fea9d8ac4791579f5cb952a341efb0068a38f81ab84c6dc870ddd8ae5ddb66d17a812a80fc8e1486eb

    • SSDEEP

      12288:aY2sKZ+fh+jtdwPBAMvyAXlOsJhYV0J7OQf1LoP+MmIlF/w2MfNXn0K43qsvXB3p:h2sKAj5YV0J9UWrkxPHRzANe

    Score
    1/10
    behavioral23behavioral24

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Pre-OS Boot

2
T1542

Bootkit

2
T1542.003

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

2
T1562.004

Pre-OS Boot

2
T1542

Bootkit

2
T1542.003

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks