Overview

overview

10

Static

static

3

0de22e6dca...18.exe

windows7-x64

10

0de22e6dca...18.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    0de22e6dca75f5a7bcf392c08679dc55_JaffaCakes118

  • Size

    1.7MB

  • Sample

    240625-ng8nbazdjr

  • MD5

    0de22e6dca75f5a7bcf392c08679dc55

  • SHA1

    eeabd3b2836ccea078674929101be3b2780b70d3

  • SHA256

    92447d9bc341727db4212256aec9488669641c8393becfd5533656815acf4c62

  • SHA512

    e6aed46ed158d1c0d08a6fe3eccb2edc89240de219f99aba1bd5455102ab8ffe05f8e28044aecd7d63716af305cf8a6c1255bbf5036a1e61b0586d82af3d0517

  • SSDEEP

    49152:WVLKsKoU26YUCdGMg5D+14XIhZp4nOT2hV81pdTa+WexH:WVdKowrCdGMgi4IiOMVipdkexH

Score
10/10
evasionexecutionpersistence

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://pcguarrantor-utility.com/favicon.ico?0=94&1=0&2=2&3=64&4=i-s&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000

Extracted

Language
hta
Source
URLs
hta.dropper

http://pcguarrantor-utility.com/favicon.ico?0=94&1=0&2=2&3=64&4=i-s&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000

Targets

    • Target

      0de22e6dca75f5a7bcf392c08679dc55_JaffaCakes118

    • Size

      1.7MB

    • MD5

      0de22e6dca75f5a7bcf392c08679dc55

    • SHA1

      eeabd3b2836ccea078674929101be3b2780b70d3

    • SHA256

      92447d9bc341727db4212256aec9488669641c8393becfd5533656815acf4c62

    • SHA512

      e6aed46ed158d1c0d08a6fe3eccb2edc89240de219f99aba1bd5455102ab8ffe05f8e28044aecd7d63716af305cf8a6c1255bbf5036a1e61b0586d82af3d0517

    • SSDEEP

      49152:WVLKsKoU26YUCdGMg5D+14XIhZp4nOT2hV81pdTa+WexH:WVdKowrCdGMgi4IiOMVipdkexH

    Score
    10/10
    evasionexecutionpersistence

    • Disables service(s)

      evasionexecution

    • Modifies WinLogon for persistence

      persistence

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2
T1489

Tasks