Overview

overview

10

Static

static

3

6966470544...18.exe

windows7-x64

10

6966470544...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    696647054432c3ddafefffa7e192c0d8_JaffaCakes118

  • Size

    624KB

  • Sample

    240523-ckmz8sab67

  • MD5

    696647054432c3ddafefffa7e192c0d8

  • SHA1

    e042f232e5aba808b162e936289f937e5d7afa9f

  • SHA256

    58a0d0fd2be14203b98dc53efa802bc199f6b83f1bce6847d4019261589306d7

  • SHA512

    2d492eecbc4d797719f3ffad2cbb78bb7edac1b04a66da3af746ccce53e6420d5c0358663096c34785095fb9a33502cfc9b643e2f8bb2a5b5699e6af753af138

  • SSDEEP

    12288:wp4pNfz3ymJnJ8QCFkxCaQTOl2+x5GpX/U:KEtl9mRda1T5GJ/U

Score
10/10
persistenceransomware

Malware Config

Targets

    • Target

      696647054432c3ddafefffa7e192c0d8_JaffaCakes118

    • Size

      624KB

    • MD5

      696647054432c3ddafefffa7e192c0d8

    • SHA1

      e042f232e5aba808b162e936289f937e5d7afa9f

    • SHA256

      58a0d0fd2be14203b98dc53efa802bc199f6b83f1bce6847d4019261589306d7

    • SHA512

      2d492eecbc4d797719f3ffad2cbb78bb7edac1b04a66da3af746ccce53e6420d5c0358663096c34785095fb9a33502cfc9b643e2f8bb2a5b5699e6af753af138

    • SSDEEP

      12288:wp4pNfz3ymJnJ8QCFkxCaQTOl2+x5GpX/U:KEtl9mRda1T5GJ/U

    Score
    10/10
    persistenceransomware

    • Modifies WinLogon for persistence

      persistence

    • Renames multiple (93) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks