c6e50f8a53feb6b09d74327618c7c4df885b72f4e967cb8eac905a2627307dc5 | Triage

Sharing

General

Target

f9b8d50db4d2cfcd06b0b5050d3593a9_JaffaCakes118
Size

860KB
Sample

240419-he9vpsca81
MD5

f9b8d50db4d2cfcd06b0b5050d3593a9
SHA1

c948f98aec89d6237c969e87c4f8dc609e1147b6
SHA256

c6e50f8a53feb6b09d74327618c7c4df885b72f4e967cb8eac905a2627307dc5
SHA512

1c5331d685e55d50962f7bf86d6b85d8dbb3e5ad1ae74e4a028f199a84c45c21d1fb1f51c88c11e6a9a7203cc1818428df77b1a64aa1b416601e3de5cfc348d4
SSDEEP

24576:RpclO4O7rm2rwvsCabUuYCvly8OqgCNy+1:Bq2jCw5YC9y8OxCNyU

Score

7^/10

bootkit evasion persistence trojan

Malware Config

Targets

- Target
  
  f9b8d50db4d2cfcd06b0b5050d3593a9_JaffaCakes118
- Size
  
  860KB
- MD5
  
  f9b8d50db4d2cfcd06b0b5050d3593a9
- SHA1
  
  c948f98aec89d6237c969e87c4f8dc609e1147b6
- SHA256
  
  c6e50f8a53feb6b09d74327618c7c4df885b72f4e967cb8eac905a2627307dc5
- SHA512
  
  1c5331d685e55d50962f7bf86d6b85d8dbb3e5ad1ae74e4a028f199a84c45c21d1fb1f51c88c11e6a9a7203cc1818428df77b1a64aa1b416601e3de5cfc348d4
- SSDEEP
  
  24576:RpclO4O7rm2rwvsCabUuYCvly8OqgCNy+1:Bq2jCw5YC9y8OxCNyU
Score

7^/10

bootkit evasion persistence trojan
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

bootkitevasionpersistencetrojan

behavioral2