General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

  • Sample

    240427-yge14sfa47

Malware Config

Targets

    • Target

      https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Modifies WinLogon for persistence

    • Downloads MZ/PE file

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies AppInit DLL entries

    • Modifies Installed Components in the registry

    • Registers new Print Monitor

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Modifies WinLogon

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks