Overview

overview

10

Static

static

3

fa34f10608...18.exe

windows7-x64

10

fa34f10608...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fa34f1060890c39f4a3a660188d3b7b0_JaffaCakes118

  • Size

    412KB

  • Sample

    240419-nn6sasbd7y

  • MD5

    fa34f1060890c39f4a3a660188d3b7b0

  • SHA1

    4ee63732b0507164776899842f0d1cd5f4efd6c4

  • SHA256

    ffc5d2ee9e92d3a08c779193aeb9716012d390600bc876e45a8ed71bdb805dbc

  • SHA512

    0e7cd9d60b57ce22cb86b7166e59ab14c412529e1405f366687b7b20c8931d734923e5fd47cbf4f1ebc11dec37d5682781655de95087b1d140d9dfdda9c3dbfe

  • SSDEEP

    6144:HkggvLlERJqQtjHFsdWAYzblGLmiCxrrPiujhQ37WCSxh:EggTl+IQtTmdrYzblGLmiCQujhu7W

Score
10/10
bootkitevasionpersistence

Malware Config

Targets

    • Target

      fa34f1060890c39f4a3a660188d3b7b0_JaffaCakes118

    • Size

      412KB

    • MD5

      fa34f1060890c39f4a3a660188d3b7b0

    • SHA1

      4ee63732b0507164776899842f0d1cd5f4efd6c4

    • SHA256

      ffc5d2ee9e92d3a08c779193aeb9716012d390600bc876e45a8ed71bdb805dbc

    • SHA512

      0e7cd9d60b57ce22cb86b7166e59ab14c412529e1405f366687b7b20c8931d734923e5fd47cbf4f1ebc11dec37d5682781655de95087b1d140d9dfdda9c3dbfe

    • SSDEEP

      6144:HkggvLlERJqQtjHFsdWAYzblGLmiCxrrPiujhQ37WCSxh:EggTl+IQtTmdrYzblGLmiCQujhu7W

    Score
    10/10
    bootkitevasionpersistence

    • Modifies WinLogon for persistence

      persistence

    • Adds policy Run key to start application

      persistence

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks