1cb1235b4b0fb34b2037292789f3314dfd870147d3d39ca884b663ccff10de30 | Triage

Sharing

General

Target

071649ddc0b4c0a0b18b4ef0288c8ba4_JaffaCakes118
Size

2.4MB
Sample

240624-hv9jwazdqh
MD5

071649ddc0b4c0a0b18b4ef0288c8ba4
SHA1

1afd91bf85c7128e645c42722117aac4cea7962d
SHA256

1cb1235b4b0fb34b2037292789f3314dfd870147d3d39ca884b663ccff10de30
SHA512

632954f8fff51aade725f31d8a388fcd1f771b7bf289758dfb9f7a769294bb2ea78f94ba78e637f13b6f4a4913ece11f287145659e81b6465ef7c6e8dedac1dc
SSDEEP

49152:wZoXTqPDVfm60nXqBvuT5Mb1ZsAfu4TWVtOGNSmpqnYFe:nqPDVS7TU1aIunZEmp4Y0

Score

10^/10

bootkit evasion execution persistence

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=EILATWEW&2=i-s&3=59&4=7601&5=6&6=1&7=99600&8=1033

Extracted

Language

hta

Source

URLs

hta.dropper

http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=PKVHMXKI&2=i-s&3=59&4=9200&5=6&6=2&7=919041&8=1033

Targets

- Target
  
  071649ddc0b4c0a0b18b4ef0288c8ba4_JaffaCakes118
- Size
  
  2.4MB
- MD5
  
  071649ddc0b4c0a0b18b4ef0288c8ba4
- SHA1
  
  1afd91bf85c7128e645c42722117aac4cea7962d
- SHA256
  
  1cb1235b4b0fb34b2037292789f3314dfd870147d3d39ca884b663ccff10de30
- SHA512
  
  632954f8fff51aade725f31d8a388fcd1f771b7bf289758dfb9f7a769294bb2ea78f94ba78e637f13b6f4a4913ece11f287145659e81b6465ef7c6e8dedac1dc
- SSDEEP
  
  49152:wZoXTqPDVfm60nXqBvuT5Mb1ZsAfu4TWVtOGNSmpqnYFe:nqPDVS7TU1aIunZEmp4Y0
Score

10^/10

bootkit evasion execution persistence
- Disables service(s)
  evasion execution
- Modifies WinLogon for persistence
  persistence
- Blocklisted process makes network request
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

bootkitevasionexecutionpersistence

behavioral2

bootkitevasionexecutionpersistence