General

  • Target

    2891efd22c6c39f84a33635087ede44e_JaffaCakes118

  • Size

    6.4MB

  • Sample

    240509-gjygssgb93

  • MD5

    2891efd22c6c39f84a33635087ede44e

  • SHA1

    23cfb8eb082baa73ecd0115ad2e6670bb32dd884

  • SHA256

    8418633507549aa7f6afc255426de051190af3d4c490b3bdb802f3a72ccd23f4

  • SHA512

    24b09e7767dea9091ca21f1f8b7ac3aff918df0b34a25fd3bb32b35c38d75b4ff7b0a36a53c8f657a55ede54e3a5f6494f71e019654c8b8da1333868be2364b4

  • SSDEEP

    196608:nOxlTaO2gg7HAiGkK+pZp9Izh6r6vKxylUR3/GSK:UmzxK+p216rAKcWR3eSK

Malware Config

Targets

    • Target

      hazgyese/下载银行-提供免费绿色软件下载.url

    • Size

      265B

    • MD5

      8198b90729a29a180d83f169e44bf4b4

    • SHA1

      808c7001a47365ed66f763540472f71c8ab8f3c0

    • SHA256

      0472fb354a075029d538acbdd78064da47a19487e4efcaa513417232036ad656

    • SHA512

      8191fc06f76f598a0f3022115f9904feabce5ed9e5642557a245e279aecd1e447bf359f17b5237fd52117438dd133a214e53886769f97ef3a5850d4e50bef502

    Score
    1/10
    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/SkinH_EL.dll

    • Size

      86KB

    • MD5

      147127382e001f495d1842ee7a9e7912

    • SHA1

      92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

    • SHA256

      edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

    • SHA512

      97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

    • SSDEEP

      1536:s5Np2dgZgIehUUS3E1Ujmrvl179D53UWnGQRJZiXRmrCnKptnouy8K:s5Np2dlUX0+Cx17F8QRJZKmOK3outK

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/Ubad/EThread.fne

    • Size

      56KB

    • MD5

      391a5e311cebf461334acb330a0faaf8

    • SHA1

      8e46d3ac91ba123803d69a665c80b30f5a8ad339

    • SHA256

      8f462850ca8f46dd4095097aac4fcfb04cfd7fb0020f410dd3612960a16cd054

    • SHA512

      8e7bc8c3677c6afcedb6fe7c6f4aa7ab9097ecb015012e734c58d59d6b77a04ef12a32dc653e6e06c332c4bdb50cc5c986eb07b44a4203f9512dd168a289ecc8

    • SSDEEP

      768:13gWNW3gyVNWTmOPMJcyS6K7viaViB9V5yHQ6Fq4oCaJaUOJK:5XkSTmOP0Cbu2BboCakJK

    Score
    1/10
    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/Ubad/arie.fnr

    • Size

      1.0MB

    • MD5

      dde0681ba7a02bbb1c9b756af7e53fd2

    • SHA1

      eb1310a5848614d89e71e76bf6beee497a068017

    • SHA256

      f1efcaa3a7b5bf98819ec0076984f4af595d595c2553f4eec454e6d96f2bf080

    • SHA512

      1f9892ea5727159e7f0ec836dac78bd6923f7b803e5f39113a14c27b4bea5353503a7b998088cdf8ad0f0920e66a241c588bec0b2cab6b02157b54ab4ce30ff1

    • SSDEEP

      12288:d9uwvXUjUEQRTykNsRo5uloubqAxxKYlNKVe0QhBOSIwflL0lA/2b:wjUB+ho5jAxUYshqBOSIw96A/

    Score
    1/10
    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/Ubad/dp1.fne

    • Size

      124KB

    • MD5

      210795f012450fefa80ce492560e32ec

    • SHA1

      67d3d972a471804a284da45e05c92474de05e82a

    • SHA256

      f901d0883e40c0635724b085b5b889b567f6347b7c41f7183377b79e27088fba

    • SHA512

      8bd71d02d43004dbe2e882475d4f72e69a9cc2d8e442013fd3536cfdc71296c2c4c8121875785e8b1cb9f37aa6a5c94fed846e8068a6aab5e71252f166a7140f

    • SSDEEP

      1536:1DSn+hfeTpCwAncpZ6Z8HTiQjl1sYiKG3oZ/:1DTReTgwAcp9lqKG3o

    Score
    3/10
    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/Ubad/eAPI.fne

    • Size

      320KB

    • MD5

      f3bdb078e722c34956b370a74b518e8c

    • SHA1

      5217eac6dbba8ed1819acf90596684f15e87b00d

    • SHA256

      f3db44f1d7c4aaf281b9d8c1e9e542660e975e2abcc4d4927e78488303ca7ecb

    • SHA512

      7878e0261561aa854489215fe725d1da63727805780a74658e2618011eca51999c925b63a6c962849376da2739db06b2abb7197acd64dc72ff50542d172244dd

    • SSDEEP

      3072:0U0swaxu1SrlTvpSuKsZZA+CaHgepAPAdh+SmTsc05nJhonAfVMQDjwQ+9JQmRyd:0UHwakEr9p+AbCQpAIdh6mVMewQ+Lca

    Score
    1/10
    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/Ubad/edison.fnr

    • Size

      3.8MB

    • MD5

      518f36099e6526c41e44ccfdf2665a99

    • SHA1

      acb3288e67fd5381ef6d89ba6031a623c535c481

    • SHA256

      e14eaf02998acd6c3ae092c1f6a62377e64add5ed410096df693388694cb19c4

    • SHA512

      e1977eff04ea4fcfc19a119f37cf165b945662cf858e2cb918ec9f8716e354657c545ac2fc8f3e96a239978589d1ff88e6571db47020d7ca8e4d127618bcf478

    • SSDEEP

      98304:hUlRr8eWMeymfqEbW5UAGAD2jMjtDTu+jrrc+:hO81Me6SrAMMZfu2H

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/Ubad/internet.fne

    • Size

      188KB

    • MD5

      b925098c6a6330410cffb3994ef36211

    • SHA1

      7467bb63d47ea2fa6dbf3984ede8d9e04b8ce37a

    • SHA256

      f25727ce196ac0ab4119ab7968cdfe18425170b55012fc7fb26a3f824514d82f

    • SHA512

      955ab8e3eb661cf575db0db77ca81fca16cdb3e29ce49237b1df1377d6f2aaff3c6a12bbc98a720f0a67292b39451474b97de31f696688a93547181991fffe0e

    • SSDEEP

      3072:tpTEys+TR7yRoHzXjlhvtcxVIThpEbbAKNXoqlSY9M02MHUP:tpTEt+ycLHlCIThpEX9+XM

    Score
    1/10
    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/Ubad/krnln.fnr

    • Size

      1.0MB

    • MD5

      dde0681ba7a02bbb1c9b756af7e53fd2

    • SHA1

      eb1310a5848614d89e71e76bf6beee497a068017

    • SHA256

      f1efcaa3a7b5bf98819ec0076984f4af595d595c2553f4eec454e6d96f2bf080

    • SHA512

      1f9892ea5727159e7f0ec836dac78bd6923f7b803e5f39113a14c27b4bea5353503a7b998088cdf8ad0f0920e66a241c588bec0b2cab6b02157b54ab4ce30ff1

    • SSDEEP

      12288:d9uwvXUjUEQRTykNsRo5uloubqAxxKYlNKVe0QhBOSIwflL0lA/2b:wjUB+ho5jAxUYshqBOSIw96A/

    Score
    1/10
    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/Ubad/poe.fne

    • Size

      320KB

    • MD5

      f3bdb078e722c34956b370a74b518e8c

    • SHA1

      5217eac6dbba8ed1819acf90596684f15e87b00d

    • SHA256

      f3db44f1d7c4aaf281b9d8c1e9e542660e975e2abcc4d4927e78488303ca7ecb

    • SHA512

      7878e0261561aa854489215fe725d1da63727805780a74658e2618011eca51999c925b63a6c962849376da2739db06b2abb7197acd64dc72ff50542d172244dd

    • SSDEEP

      3072:0U0swaxu1SrlTvpSuKsZZA+CaHgepAPAdh+SmTsc05nJhonAfVMQDjwQ+9JQmRyd:0UHwakEr9p+AbCQpAIdh6mVMewQ+Lca

    Score
    1/10
    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/Ubad/shell.fne

    • Size

      56KB

    • MD5

      b824c21472c72b34fa9e103a71b210bf

    • SHA1

      8611a68c40c3c66c81795df814165b1338b2dca6

    • SHA256

      544985bffdd00a24def65288354dd4b4b3b29c99d9e4965dba7463ab229c61bf

    • SHA512

      d2167cb90019ed4353bca853ff8c2d1ea1923d0b7a19c253aa2680549e30c82557ddf76dd4d3dd2fa18d03e6802466999ded35b417cb80b8ec51569dee530d9f

    • SSDEEP

      768:PeZWaAKT41c1IYc8HBbrYNYVw2Fj9oNIqF42eo6U:PBKT4fkrymV7oNIqC8D

    Score
    1/10
    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/Ubad/zeir.fne

    • Size

      320KB

    • MD5

      f3bdb078e722c34956b370a74b518e8c

    • SHA1

      5217eac6dbba8ed1819acf90596684f15e87b00d

    • SHA256

      f3db44f1d7c4aaf281b9d8c1e9e542660e975e2abcc4d4927e78488303ca7ecb

    • SHA512

      7878e0261561aa854489215fe725d1da63727805780a74658e2618011eca51999c925b63a6c962849376da2739db06b2abb7197acd64dc72ff50542d172244dd

    • SSDEEP

      3072:0U0swaxu1SrlTvpSuKsZZA+CaHgepAPAdh+SmTsc05nJhonAfVMQDjwQ+9JQmRyd:0UHwakEr9p+AbCQpAIdh6mVMewQ+Lca

    Score
    1/10
    • Target

      hazgyese/黑暗之光夜涩辅助V3.8.0/黑暗之光夜涩辅助.exe

    • Size

      1.7MB

    • MD5

      9efa50e71bd40af253b6b1c9dd8a85c1

    • SHA1

      ee470c254820932c6fabdee824497303bfb66397

    • SHA256

      0ac5dedc6fe8bdf34eba697e683f6c61d58004a941421b353a5b99423a9dc200

    • SHA512

      a1331380ea816d2d0cbb0edb9462125996e878af8bbca5f2cbb6545372ef052f198f446092fae5cd43d4b5a6420f7352e7338a8ab18266d6bd56b99e34ce9105

    • SSDEEP

      24576:hdUXvcJ3kILqabOO6flVjJs9bSru4WEI8mI9lP9Zyjlwe5vHpv79P4RwVjTUm:o0JBOdxs9uKOjkB7lbVs

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks