f6f161bde933a77243f8107a7d1c75c628d5e8c654f84296325ab24596d04480 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

a502bc85e085655d21a69ca05c1b8e22_JaffaCakes118
Size

9.1MB
Sample

240613-l6s8tayark
MD5

a502bc85e085655d21a69ca05c1b8e22
SHA1

cf283bebba0b75def2c21762f98e8e352a3fa578
SHA256

f6f161bde933a77243f8107a7d1c75c628d5e8c654f84296325ab24596d04480
SHA512

b989c5f1358b2778c5cd03245570f92ec7b7cbe5e8885fa46098f654c8ed89739fabe7c6e43d8cbb5e9d8530d443668470ec29478dfd214b00739cc291b44de1
SSDEEP

196608:5c4BiYq0D9y2jkLtyUK2Vb/c4BiYq0D9y2jkLtyUK2Vb0ZZmtUzLMBTNcC3A:5cKiYvD0Dss5/cKiYvD0Dss5FUzLMBT0

Score

9^/10

bootkit evasion link pdf persistence

Malware Config

Targets

- Target
  
  Frombyte Recovery For DV v2.1.exe
- Size
  
  3.2MB
- MD5
  
  15b7315f45b00e4930407b0f4df5a00a
- SHA1
  
  097c7c51e78c8c6240edfe8e3d9f6563d2155bf8
- SHA256
  
  1e89c1cdf921f125b3a41973036372b5aad7118509b2efec6bf8285356afabb5
- SHA512
  
  c5051801027f2cc317379da1fc3cd3938cdc14503b0c5e436f3a63ec0d9043f480572b4ff25c4d6a2ff981328ec75b58c9e7de0c4f2710803a6a0060cd64eb9c
- SSDEEP
  
  98304:dWpNg4lf34NoV8yZfVn4C7DWuFyM1Pw9CuvZ+:yNgmI+VhVn4ID1mCuvZ+
Score

9^/10

bootkit evasion persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Frombyte_Recovery_For_DV/Frombyte Recovery For DV v2.1.exe
- Size
  
  3.2MB
- MD5
  
  15b7315f45b00e4930407b0f4df5a00a
- SHA1
  
  097c7c51e78c8c6240edfe8e3d9f6563d2155bf8
- SHA256
  
  1e89c1cdf921f125b3a41973036372b5aad7118509b2efec6bf8285356afabb5
- SHA512
  
  c5051801027f2cc317379da1fc3cd3938cdc14503b0c5e436f3a63ec0d9043f480572b4ff25c4d6a2ff981328ec75b58c9e7de0c4f2710803a6a0060cd64eb9c
- SSDEEP
  
  98304:dWpNg4lf34NoV8yZfVn4C7DWuFyM1Pw9CuvZ+:yNgmI+VhVn4ID1mCuvZ+
Score

9^/10

bootkit evasion persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  Frombyte_Recovery_For_DV/北亚摄像机恢复软件V2.1文档.doc
- Size
  
  2.8MB
- MD5
  
  96050adce5a863f608872c6eaba590a6
- SHA1
  
  bc31d90d585343cb19c83002fce7d5a211e762a4
- SHA256
  
  517af1181cf80c43d5a66341fe75cdd80ea0d22b5f7212a290abe259190bec55
- SHA512
  
  1d5eccd957631cc0d5122c64ee05f5d1d2e6b777c3f4715ea57e19ea17c0dad79e4d4a84756eaabab2f4362c18f3418f3b3fb38d8082b2c29a4f43e511738074
- SSDEEP
  
  49152:MRg55LBwaX1r4Vna0uJkWReAMbx5EsHOABSgVRl9ivQ/CtNz:MRytX1cVyyV5EnABSgVtta
Score

4^/10
behavioral5 behavioral6
- Target
  
  Frombyte_Recovery_For_DV/北亚摄像机数据恢复软件使用说明 .pdf
- Size
  
  559KB
- MD5
  
  1650b4ad1de54df0714c201f832557c0
- SHA1
  
  d6b2ad633bb0b256124e7aa853d10f0c54198e20
- SHA256
  
  78cc07161d007d91d06a614f4fc4a8d3a500676f6cd52477eafbb99a93327862
- SHA512
  
  f6678b3282efa334ac443f1007ae3f1ec04761efd8e15e2fc015ee14836299ade69c6629d2c342738513551d433adc1bc5d185f899666420a0651dd4fd66aa16
- SSDEEP
  
  12288:0v/MmS90ck44P+E/MmS90cku7O3dLjMQGabVwVG4zwpzne:0HMmuRk44dMmuRku7O3BiVG4EJe
Score

1^/10
behavioral7 behavioral8
- Target
  
  使用说明.pdf
- Size
  
  559KB
- MD5
  
  1650b4ad1de54df0714c201f832557c0
- SHA1
  
  d6b2ad633bb0b256124e7aa853d10f0c54198e20
- SHA256
  
  78cc07161d007d91d06a614f4fc4a8d3a500676f6cd52477eafbb99a93327862
- SHA512
  
  f6678b3282efa334ac443f1007ae3f1ec04761efd8e15e2fc015ee14836299ade69c6629d2c342738513551d433adc1bc5d185f899666420a0651dd4fd66aa16
- SSDEEP
  
  12288:0v/MmS90ck44P+E/MmS90cku7O3dLjMQGabVwVG4zwpzne:0HMmuRk44dMmuRku7O3BiVG4EJe
Score

1^/10
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitevasionpersistence

behavioral2

bootkitevasionpersistence

behavioral3

bootkitevasionpersistence

behavioral4

bootkitevasionpersistence

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10