Overview

overview

9

Static

static

3

fa1af9f89f...18.exe

windows7-x64

9

fa1af9f89f...18.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118

  • Size

    2.1MB

  • Sample

    240419-mj79wsge88

  • MD5

    fa1af9f89f182ceaf85cdc39a9bb55b9

  • SHA1

    b66a479eaeaf45be1b5bb52968550724d0ef0934

  • SHA256

    f58bb7ef51d62cbca14778caffadd854dad7a1a5682cc2016f775310b0464058

  • SHA512

    7fbf3ea63ef918abce0806512872f8608e9771c5069eade5246623434ed1489f9ae3c1b6c7cf7bb8f5f75f8bb3c5600d5fb4a6d07c38806e6d6e114ecc8c0a7f

  • SSDEEP

    49152:4WFVbrhPYRE7ri2iqfRIIJyiCpVPG/NBOf/WbsWa:xFVbryO7r/fRhIiQVw8/WbsWa

Score
9/10
bootkitevasionpersistencespywarestealertrojanupxvmprotect

Malware Config

Targets

    • Target

      fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118

    • Size

      2.1MB

    • MD5

      fa1af9f89f182ceaf85cdc39a9bb55b9

    • SHA1

      b66a479eaeaf45be1b5bb52968550724d0ef0934

    • SHA256

      f58bb7ef51d62cbca14778caffadd854dad7a1a5682cc2016f775310b0464058

    • SHA512

      7fbf3ea63ef918abce0806512872f8608e9771c5069eade5246623434ed1489f9ae3c1b6c7cf7bb8f5f75f8bb3c5600d5fb4a6d07c38806e6d6e114ecc8c0a7f

    • SSDEEP

      49152:4WFVbrhPYRE7ri2iqfRIIJyiCpVPG/NBOf/WbsWa:xFVbryO7r/fRhIiQVw8/WbsWa

    Score
    9/10
    bootkitevasionpersistencespywarestealertrojanupxvmprotect

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VMWare services registry key.

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

3
T1497

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

3
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks