Overview

overview

10

Static

static

3

02ddc227ce...18.exe

windows7-x64

10

02ddc227ce...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    02ddc227cefe4aeaf843b58ef2f01209_JaffaCakes118

  • Size

    1.4MB

  • Sample

    240622-tpf6xstepe

  • MD5

    02ddc227cefe4aeaf843b58ef2f01209

  • SHA1

    4e9977a61b4b2d73203400a1b6eafa92896ac4df

  • SHA256

    763517d388e095c48a1f67cc58cf1a92c91520b401b8e101ec84713a1bae265f

  • SHA512

    3a7e8fde2aef658a8f5b476d1fd38288af69dc59d0f953d99c9aa1a68a5d16007a53ede25502050174b142d1504afa0265741fe12ed7cb12c55a6305e46cb8cf

  • SSDEEP

    24576:Eh7npsDHDBxnk8Xt7rSk7DevjU2/313UQaeLkSnHeCGjUHS:0npsJ5t7WkX3klGeLkS+ZV

Score
10/10
cybergatedarkcometbootkitevasionpersistenceratstealertrojanupx

Malware Config

Targets

    • Target

      02ddc227cefe4aeaf843b58ef2f01209_JaffaCakes118

    • Size

      1.4MB

    • MD5

      02ddc227cefe4aeaf843b58ef2f01209

    • SHA1

      4e9977a61b4b2d73203400a1b6eafa92896ac4df

    • SHA256

      763517d388e095c48a1f67cc58cf1a92c91520b401b8e101ec84713a1bae265f

    • SHA512

      3a7e8fde2aef658a8f5b476d1fd38288af69dc59d0f953d99c9aa1a68a5d16007a53ede25502050174b142d1504afa0265741fe12ed7cb12c55a6305e46cb8cf

    • SSDEEP

      24576:Eh7npsDHDBxnk8Xt7rSk7DevjU2/313UQaeLkSnHeCGjUHS:0npsJ5t7WkX3klGeLkS+ZV

    Score
    10/10
    cybergatedarkcometbootkitevasionpersistenceratstealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Active Setup

1
T1547.014

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

4
T1112

Virtualization/Sandbox Evasion

1
T1497

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

6
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks