General

  • Target

    69db660126843cc9ca7092394735c351_JaffaCakes118

  • Size

    756KB

  • Sample

    240523-fz37jsfa49

  • MD5

    69db660126843cc9ca7092394735c351

  • SHA1

    37d4cceb2766ca0ef6d747d5188b96475892c277

  • SHA256

    70a61b9f583b7f4837211571603cf791b334e139d2138b217e2b3af33c565a43

  • SHA512

    86cce32c0fa5289783f1449fa51087297a6cd93c56aefd9e5357610bc2b48e2300f874b1e58b717ce92b29faeeb7b0d9feef852434030b7583b0ed70da0ae0f8

  • SSDEEP

    12288:X+WhWEyIuRalv7sa2beX41VWIr3cTGeIif82GgrMs7JjMt8RdZtz4lTMSQ/skLoB:XIRIGST8iX41oITACitXr7J5RdclT6di

Malware Config

Targets

    • Target

      69db660126843cc9ca7092394735c351_JaffaCakes118

    • Size

      756KB

    • MD5

      69db660126843cc9ca7092394735c351

    • SHA1

      37d4cceb2766ca0ef6d747d5188b96475892c277

    • SHA256

      70a61b9f583b7f4837211571603cf791b334e139d2138b217e2b3af33c565a43

    • SHA512

      86cce32c0fa5289783f1449fa51087297a6cd93c56aefd9e5357610bc2b48e2300f874b1e58b717ce92b29faeeb7b0d9feef852434030b7583b0ed70da0ae0f8

    • SSDEEP

      12288:X+WhWEyIuRalv7sa2beX41VWIr3cTGeIif82GgrMs7JjMt8RdZtz4lTMSQ/skLoB:XIRIGST8iX41oITACitXr7J5RdclT6di

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

    • Modifies firewall policy service

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Sets file execution options in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Exploitation for Client Execution

1
T1203

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

6
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks