General

  • Target

    8c05d565e498f75fb9a50c5053e973aa_JaffaCakes118

  • Size

    512KB

  • Sample

    240601-2j72fshb91

  • MD5

    8c05d565e498f75fb9a50c5053e973aa

  • SHA1

    a6faed05f899b854e9800ee5b53bba65469e1685

  • SHA256

    da985b9452149258cc7ba183811071712a7b682d7ad1fbd1cd7aed8ae75b229a

  • SHA512

    e001c26a1bbae3add8ae183becc6db4155e6c76a51a4e3ce7296a5082f6169f41e9b702e2c587b6eeab6aedb3d1acc5a232207841b1cf26def843912770ab309

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a

Malware Config

Targets

    • Target

      8c05d565e498f75fb9a50c5053e973aa_JaffaCakes118

    • Size

      512KB

    • MD5

      8c05d565e498f75fb9a50c5053e973aa

    • SHA1

      a6faed05f899b854e9800ee5b53bba65469e1685

    • SHA256

      da985b9452149258cc7ba183811071712a7b682d7ad1fbd1cd7aed8ae75b229a

    • SHA512

      e001c26a1bbae3add8ae183becc6db4155e6c76a51a4e3ce7296a5082f6169f41e9b702e2c587b6eeab6aedb3d1acc5a232207841b1cf26def843912770ab309

    • SSDEEP

      6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a

    • Modifies visibility of file extensions in Explorer

    • Modifies visiblity of hidden/system files in Explorer

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks