Overview

overview

7

Static

static

3

G_Client.exe

windows7-x64

1

G_Client.exe

windows10-2004-x64

3

G_Server.exe

windows7-x64

7

G_Server.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f9a0a69dae75508adc7486cbc89e60c7_JaffaCakes118

  • Size

    839KB

  • Sample

    240419-gf4jmsac59

  • MD5

    f9a0a69dae75508adc7486cbc89e60c7

  • SHA1

    fc9b041f93e6276e3a7a11fc79f446a469cfbaa6

  • SHA256

    cc3635e8f69d39427f470f0c6a687e88ea006c70077601177dd0852778d2ad08

  • SHA512

    c7b5cdae9720b14802a36db2c3098c3e93160dd31a1b3913245b986b5f482c9ad4e575c187abe9464c51bcaf4c13e9ddf881129781b18e7f0ff698950dc7a0b2

  • SSDEEP

    24576:PemdDdKiP7mjxRdIEkt1wbFsA9vT7YiEwxkdV:P3TCjxRjkhoT7BE1

Score
7/10
bootkitpersistence

Malware Config

Targets

    • Target

      G_Client.exe

    • Size

      827KB

    • MD5

      56bebeecc213c2cd6bfe37679ebf1645

    • SHA1

      54c661267b4dc1b6553ca1a49043a13fb13c4ee9

    • SHA256

      bfebd4407e311f16db8b99f06429fa358311e5eb555d2565c3494cf90d9081df

    • SHA512

      9cb57d4eb59403b8c70c6b630d1588e928b7ca3321023309efb171df2284308161bfbdbfadc6f6fe63a637385431da6a6a418401c613f41bd2bbcc71e0def12c

    • SSDEEP

      12288:vzFCPb3dtAb6uZovzf/FvzzI38jwZzN86zXxlYzGgSqsNy2anwWh5A:vzWtt1uZovz37jDCPYzGg4u3

    Score
    3/10
    behavioral1behavioral2

    • Target

      G_Server.exe

    • Size

      388KB

    • MD5

      16c8a6096c6a55b0f1ac09b9882ee7b0

    • SHA1

      48840eb1d44b376479553c99e33d1020b8031c66

    • SHA256

      83f4acc7f2125e46ec8a6a9f205a1340f93322a1a8812ba75db41bd71e606a13

    • SHA512

      89767fad311f15a6a03a8e966651b874d146ef226d9cb08835a555d42065b7fbe333504d60b33e2783b6d680209a4911950a82b4b936e7d9fd5c3c1bf398e1c5

    • SSDEEP

      12288:JPgzpWVpdgb8Q2fG3Fd4WxbDCy2anwWhan:PTX+JxbDQu3An

    Score
    7/10
    bootkitpersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks