General

  • Target

    69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118

  • Size

    2.9MB

  • Sample

    240523-ckxjnsab74

  • MD5

    69669d80ee67ca88c2c636c5f4e567ac

  • SHA1

    7854501a76d59ad31844330782db017b2d8ea8a5

  • SHA256

    dd3edd0a584fff1f7eadd86f868eeda95f05138caf70c5ba8d807af2f8390887

  • SHA512

    024a27a001c18276c7e6863119d3fbe72eb7157be9142bca5e1b058e52abf61648251896460a1c43ac02a8bf790201a1ed770ae37b2d20e4e2f01f7d9319bf4c

  • SSDEEP

    49152:17HeAMVNwP8ne1BSGMrrBB1ZTH8QNPf199bs5FCIrMAZJln19Ot6kza3zwj:17HeVLugBB1ZTH8iHZ2CIrMWJb9Lw

Malware Config

Targets

    • Target

      69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118

    • Size

      2.9MB

    • MD5

      69669d80ee67ca88c2c636c5f4e567ac

    • SHA1

      7854501a76d59ad31844330782db017b2d8ea8a5

    • SHA256

      dd3edd0a584fff1f7eadd86f868eeda95f05138caf70c5ba8d807af2f8390887

    • SHA512

      024a27a001c18276c7e6863119d3fbe72eb7157be9142bca5e1b058e52abf61648251896460a1c43ac02a8bf790201a1ed770ae37b2d20e4e2f01f7d9319bf4c

    • SSDEEP

      49152:17HeAMVNwP8ne1BSGMrrBB1ZTH8QNPf199bs5FCIrMAZJln19Ot6kza3zwj:17HeVLugBB1ZTH8iHZ2CIrMWJb9Lw

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fbe295e5a1acfbd0a6271898f885fe6a

    • SHA1

      d6d205922e61635472efb13c2bb92c9ac6cb96da

    • SHA256

      a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

    • SHA512

      2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

    • SSDEEP

      192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4

    Score
    3/10
    • Target

      $TEMP/TWUCSTRVZCTWUCSTRVZCTWUCSTRVZC.ps1

    • Size

      3.5MB

    • MD5

      67e1452131ae07c4b67762d3c302f52b

    • SHA1

      d6329ac864341d9dd86ff9032df8912ec8c44c8b

    • SHA256

      6416923da618a13311012632be2aa383a711c84ee182670e663e4bd8c6464950

    • SHA512

      013ee8398189be291970c431be6cab9597e9c3650be44c8842bafeb90e2ac84dc720daf82f24bf67bab4564272fcb34db76b352923697095f9e4b9ed2a553280

    • SSDEEP

      49152:RIUxx1Km3fApVfWdmS+KyU053ZBqoBcTq:Y

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • Loads dropped DLL

    • Modifies file permissions

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

2
T1053

Persistence

Account Manipulation

2
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

2
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

2
T1053

Defense Evasion

Modify Registry

4
T1112

File and Directory Permissions Modification

2
T1222

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Remote Services

2
T1021

Remote Desktop Protocol

2
T1021.001

Tasks