Resubmissions

19-06-2024 15:51

240619-taf8dashpd 10

19-06-2024 07:13

240619-h2hdzawelb 10

General

  • Target

    bd38e93c22ab359d615e7464fd252363_JaffaCakes118

  • Size

    17.0MB

  • Sample

    240619-taf8dashpd

  • MD5

    bd38e93c22ab359d615e7464fd252363

  • SHA1

    a2100f45c63843df24fc95f0179851399951f9d7

  • SHA256

    b072506b100e143611b6b01f8e4ac35115665771f6f25685d1e5f5426cc7f03b

  • SHA512

    014c37ff5b55569a62db9be82df29102b1cb1e8ced11d25b3aedbf79dff2be9ddd3f577d1781a68b84ae39a62be1d99b156965c17c052315e67f43e0c9486cd1

  • SSDEEP

    393216:iYp4jGXCrXu7RJuDZEIjUYmq1HmcopWtmeUb969RooKtN:HpnXDRAhocm4tLA9eRGN

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    194.67.198.139
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Targets

    • Target

      bd38e93c22ab359d615e7464fd252363_JaffaCakes118

    • Size

      17.0MB

    • MD5

      bd38e93c22ab359d615e7464fd252363

    • SHA1

      a2100f45c63843df24fc95f0179851399951f9d7

    • SHA256

      b072506b100e143611b6b01f8e4ac35115665771f6f25685d1e5f5426cc7f03b

    • SHA512

      014c37ff5b55569a62db9be82df29102b1cb1e8ced11d25b3aedbf79dff2be9ddd3f577d1781a68b84ae39a62be1d99b156965c17c052315e67f43e0c9486cd1

    • SSDEEP

      393216:iYp4jGXCrXu7RJuDZEIjUYmq1HmcopWtmeUb969RooKtN:HpnXDRAhocm4tLA9eRGN

    • Disables service(s)

    • Modifies Windows Defender Real-time Protection settings

    • Modifies visiblity of hidden/system files in Explorer

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • UAC bypass

    • Windows security bypass

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible privilege escalation attempt

    • Server Software Component: Terminal Services DLL

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Cryptocurrency Miner

      Makes network request to known mining pool URL.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

MITRE ATT&CK Enterprise v15

Tasks