b0db11cb8d232f65a27118734a477a2b3d3f0d5e8170f966ba82309cd437c114

Sharing

Copy URL Twitter E-mail

General

Target

15e39284f57c22f430d9788b8dc6093b_JaffaCakes118
Size

12.9MB
Sample

240627-nx1mmszclg
MD5

15e39284f57c22f430d9788b8dc6093b
SHA1

e99508d2b388b9043645afeebb702398917a7e97
SHA256

b0db11cb8d232f65a27118734a477a2b3d3f0d5e8170f966ba82309cd437c114
SHA512

3b6956fd1ce0d6b521b32c4e65dad1a669e7a435ce3d6e8658bcd1dfc4789921dc3366f4c1decf9ff5fe2cd21528cbc52e3a96ca7145896acb420b8d683bde61
SSDEEP

196608:/IZ/PyVuF/+/c+kBZvtcgpi+H35ycfhVFlgadkhe3mPsMEa4CKnwW5rv9yble+YA:ePGkzvtHIGgcftlgHhe79CKOOfo

Score

8^/10

Malware Config

Targets

- Target
  
  AVG Anti-Spyware/!)右鍵解除.bat
- Size
  
  64B
- MD5
  
  a75a22156e655e5d6db6bb0298a49411
- SHA1
  
  fad53e2d54bce7be1c1cff042da2d07b20eb3edb
- SHA256
  
  20da0c27d81abbc7156746fcfefc1c9bce6fded7367db9f10291d698cd71fd8f
- SHA512
  
  171d680258d0c43612fe24e81ce34c1a9ff9ae0c745e8bf6747d1434242966ff83c7579a7bf21f57724ec2a89a236be8523dee920f0f9dddd3021263abfb5cbc
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  AVG Anti-Spyware/!)右鍵设置.bat
- Size
  
  67B
- MD5
  
  dd963ca73c035e87f346b69d82a5ed35
- SHA1
  
  443559323de578cd91a60fd026009985a0102de8
- SHA256
  
  7a6756db0ffa06abaa19ed1ca8bc0bdb2a7bb9e12be980fcfa5062c82203db15
- SHA512
  
  85d73fb8246eb54315d12fe8c22e7e072850c8883d73730ee7b374f3c4f5a397b369049c8569194e24568d943101361325afa4f3d8ea70362552d1a503a076be
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  AVG Anti-Spyware/1)install.bat
- Size
  
  127B
- MD5
  
  f361f05865fd277c790aa64a65b864cd
- SHA1
  
  9d0dcb55892299748dd39d2dbb6c735caf7cf8a1
- SHA256
  
  e1d82943f10ebc7b3fc2f6a66280535936640dc26395a445b8f937eed72900aa
- SHA512
  
  71e8f0dc5e39b73e2f2431aa33ef0f6a74646286be65de7819b08cdbfe161ee1f0896bb3524d4b6bbf93a5b02293c7ad318c1b5c1ae254f561103edb3629ccb7
Score

8^/10
- Drops file in Drivers directory
behavioral5 behavioral6
- Target
  
  AVG Anti-Spyware/1)uninstall.bat
- Size
  
  129B
- MD5
  
  5021c3c0080a1afa60fb66f63be728b0
- SHA1
  
  52754ce82fcf7a0f77ec9427d5bb932682b08c8d
- SHA256
  
  e861f828e1b20507ca12960709cfe5d4fa61a781aca5933dd99e6f690e4595da
- SHA512
  
  076564ef3039a9d5fa69fe0dff8fefc204b24ad77d6e889d795fc72041438f4af09e8bb057e2e7eb648354610b7c31ea0b00d7a4ac81b5fd7f83a15f54fe82bf
Score

1^/10
behavioral7 behavioral8
- Target
  
  AVG Anti-Spyware/avgas.exe
- Size
  
  6.4MB
- MD5
  
  cc6bc45dd5a58158645e7fb2953604fe
- SHA1
  
  9d5165b765744b6b3e7e4e333c6645f781d87590
- SHA256
  
  1dc221b2d05b287731c78908b50945ad538f206a853d3fcf7fe836ff9c3d1227
- SHA512
  
  2d5510353b45d5dae7dd0a1550d633e6a38f73e40122a354b4e5a65a4d43b876974b33e403b720b7d141d1c708e690f63c682acd18cef07439a825689625f55d
- SSDEEP
  
  24576:724o6Sj9ZEXecCw48QemHJB23RhktTwOmrzCmap+T7ilYeUnJhCR+wZ2Ux:S4o6Sj9ZEXRkjsbktTwOmrugOlYXzG
Score

7^/10

defense_evasion
- Impair Defenses: Safe Mode Boot
  defense_evasion
behavioral10 behavioral9
- Target
  
  AVG Anti-Spyware/avgasc64.sys
- Size
  
  13KB
- MD5
  
  b1d20447ee6c1a1ff4009da17b60cc04
- SHA1
  
  5ff12ecf8185ae26cd28cdb2d970fc24f4420b4b
- SHA256
  
  fdb8efde7d385ba52239a84eb77828d976c08e9e912728a1a282922394aeee1a
- SHA512
  
  c3ea922155bcb2602112b0c6f551281791412e01eaea15d7b4ec2209acfb3148fd43f16bc34c5aed0518ec0c384b2221545f8092227d935fcd38516ca85aabc2
- SSDEEP
  
  192:cow6rg1bNhh0mGAkL/CldolMzMjGwP7IMt90K+ebMbZgjlJMqn6LT:coNU0mNkLCcgUnbS6jW
Score

1^/10
behavioral11 behavioral12
- Target
  
  AVG Anti-Spyware/avgascln.sys
- Size
  
  10KB
- MD5
  
  856b0cee009946bf2d327e6b24fe7e3f
- SHA1
  
  7d728c86ba1adbf1557fbdddfef9bbd3ad183dac
- SHA256
  
  3c9edb48d95b7a5a46c2f9f94a325efbb47efe75d7736ac7763658579582f9c6
- SHA512
  
  eb01034e28fa72ae103662806a4e838ab5ae72fe7f79802d3184eef990d628d895314982209597140d10da590f28f2ee0a76e40e5a6c3d75dbfd2fe392114244
- SSDEEP
  
  192:i4XgHLwiRMRJANIA4L/CldolMzMjGwP7IMt90K+ebMbZgjlJMZnZ:v6LwiRMv2/4LCcgUnbS6jYZ
Score

1^/10
behavioral13 behavioral14
- Target
  
  AVG Anti-Spyware/context.dll
- Size
  
  141KB
- MD5
  
  c9c6386cdcf2706f1bd860d63cf6405c
- SHA1
  
  847dc127ec63d290e97de81f1d7a28049115dd88
- SHA256
  
  c3f4146945bfd270946ce6701e9219bb3b0ddc4bdf3934142875977590b978c3
- SHA512
  
  1b151e73cee50f7d30483e6cdb2de0ec694a1dbd6d02dfc4461a616add710a0015802cefce4212a723f407be3abbd19f5cc50aed7fc21063b604bf3b578aa832
- SSDEEP
  
  3072:hAZ1pbtuR6y5Jz9nvzZyf6ZCwtTMvISvlisBsFUV:OnHy5lJrsiZVMHgMx
Score

1^/10
behavioral15 behavioral16
- Target
  
  AVG Anti-Spyware/context64.dll
- Size
  
  255KB
- MD5
  
  97b9873f6c07e3e9e9c990e63c95ec86
- SHA1
  
  e69d52aa98121efdf37b05f5ae4d5cf73120e550
- SHA256
  
  59903b4f388f454ebc50eea41f8bc702021ee6fe7a9d7a8f57220abbec2285fc
- SHA512
  
  deace22e83cbddf5a0466b2789830c77e125f5a415925b4d2bbf77c84c64765d2460a7ebe9d5738926bff91d952c5088209a9ab0d6a56c7b993e392e808ba0c0
- SSDEEP
  
  6144:laX57JkQo3ormxvSiYs/8RA55S+xQSZOd/hSxDIpln2:law3R6if/86SbSEhbn2
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral17 behavioral18
- Target
  
  AVG Anti-Spyware/engine.dll
- Size
  
  437KB
- MD5
  
  db265d17b40f4dae581a9bc9c2d6c6ca
- SHA1
  
  5918f64c3b0df10712a0c1969fa5934af538e93c
- SHA256
  
  1771d53e33724eed8887c2aa908a61ece1817d576547bc794f04f5f53e95b310
- SHA512
  
  1ac4409326370eb6359bf00051c804577052510e608c28570f0acd3057d39433e963bfcbfe172d31e86107b2041b0e753c78d3b56e13a83c4ad44a78c5c9d3b5
- SSDEEP
  
  12288:yXeAhXtY9cRR9nyrRz0gxGASj3JQuqfnTJRP:yuAhO6Vyt4H3JNq/TJRP
Score

1^/10
behavioral19 behavioral20
- Target
  
  AVG Anti-Spyware/guard.exe
- Size
  
  305KB
- MD5
  
  5dcd235c061022bcda9aa48670b64211
- SHA1
  
  9924d9b3b3ecb3365e8cbae3a616435103824070
- SHA256
  
  6697cc4a1d246a94a5759e3adfa9e88469dcf5859c5b11e6e9520e75473250c9
- SHA512
  
  ce200bd430cb5a602fe9cad274800588271c1d9385c1750352b04cca6c04bde0ac9ab08027ec5ac11323ca690dd94a9c98bf12372fa50e070639193dd2f3f672
- SSDEEP
  
  3072:+wlwfcY4dGOOspm8GuHlea4Fq3Zdz6U1dE09Z4BaSivBqTBHVYpNnu5d5K7ARzDk:+6YOnV4M3z9U/UC5dQ7ARfz/p1vLBS
Score

1^/10
behavioral21 behavioral22
- Target
  
  AVG Anti-Spyware/guard.sys
- Size
  
  10KB
- MD5
  
  d6f4c1450699901048818b0c3aaf7a17
- SHA1
  
  4abc3633869ca5462689abab172a83b713642a96
- SHA256
  
  a564b8b0921c0cfa5fb367c121323e490b68bc47c4d0e4fa2a0fc83dbf586a0c
- SHA512
  
  d81276225e853434c5b5b0f09a353cb9e02649ca2566a0ae0e0cda24418f274503d5cb47536e47969e7ebeb6e042ee9271e33b5da5aaa313c7133badecb11783
- SSDEEP
  
  192:fKGXmzpKZrYWnL/CldolMzMjGwP7IMt90K+ebMbZgjlJMlW:iGXmoFRnLCcgUnbS6jj
Score

1^/10
behavioral23 behavioral24
- Target
  
  AVG Anti-Spyware/guard64.sys
- Size
  
  11KB
- MD5
  
  9bdf898574a559bdcfe6f4562417bb1c
- SHA1
  
  646b2de323d51bb45ed1c9b2fba37c333407b73a
- SHA256
  
  5064348708bbe4b14a1a03a802dfb484bb4c9bb4ff10787f62b677d80442b65a
- SHA512
  
  af21b72ecef6fa3698ceb82ed555d32e731ad28a55953e4e6cf0ec96480077d947ffc6fae118f7af515a63b01f1dbfacf3bea9e9c58551e0002eac404f17f7ab
- SSDEEP
  
  192:ctQDb8x0L/CldolMzMjGwP7IMt90K+ebMbZgjlJM9L:ctQD3LCcgUnbS6jW
Score

1^/10
behavioral25 behavioral26
- Target
  
  AVG Anti-Spyware/help.chm
- Size
  
  1.4MB
- MD5
  
  3ab4f6896e59e9fb86a4beac0595e785
- SHA1
  
  27d5bf385dd2411e17ae19a56bdc9ca85987e83d
- SHA256
  
  a057a515e74998535fef308abd01fc2f1a6ec8d4ae4073baebcf5ef160b84678
- SHA512
  
  ddf3c8abff0285aa9db8d30a59e34a4562cdf5ea274294349eee3ff52d226533317568ae450a5d8024bc182fe82f51f66461b3fcb10baffde5644907e4f45203
- SSDEEP
  
  24576:RJB2JyvKZ+p1tUW8QcPCoEhuhz5MxLaWHyXG6FXe+5Lh6KpXzLedkfS1X+D:B7vKZ+eJPCQN58efHFBh6Wlfr
Score

1^/10
behavioral27 behavioral28
- Target
  
  AVG Anti-Spyware/shellexecutehook.dll
- Size
  
  77KB
- MD5
  
  3fd0b984601d65c6da8e891a0d5905d1
- SHA1
  
  d789e6aac46de05d933b3d80cdaa2ffa70858f46
- SHA256
  
  00783f23132155f170430db80140f89d2f264500cd3a8975464ec5556416a3ea
- SHA512
  
  164f93af5971952bc7b2e3b6d4e885c3ffc3f07fae2c22f1f51b267ceaeb392f1cb243a85778dad3a858959b3970f2c7f2324aaec8f978006e6dc0d979a464a6
- SSDEEP
  
  1536:WguVtoXnSrGiIdaV2H2XdbFEwcJNu9ijl1+D6PRhs/c:WguVtoXnSrGaXt58eijlwD6PM0
Score

1^/10
behavioral29 behavioral30
- Target
  
  AVG Anti-Spyware/shellexecutehook64.dll
- Size
  
  123KB
- MD5
  
  34cacc39cb68b058ec5c19c9514d789a
- SHA1
  
  fd8f1f4be91da2d3b15f77071199f61b79c2b7a8
- SHA256
  
  05f911cce21651df77afa881ceef51b66de1aee2b3f7de97fa976e7f6203e1d3
- SHA512
  
  b9a243784db9ec4dcce7ad6fb3ddfad72384a67b0f140caf7e31f24b79eac02c10e6c2f730e08ef9d1cfbef8de09052cfe1c89591bb2b8fddeb0ed95e075b2e9
- SSDEEP
  
  3072:VZS8v8aGyg3wFalgNfuCe9l/HNHqOEMTtgoLmjO1:Vo8Ehyg3wFaEuCe/vBYjNj0
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Adds Run key to start application

Event Triggered Execution: Component Object Model Hijacking

Modifies system executable filetype association

Adds Run key to start application

Drops file in Drivers directory

Impair Defenses: Safe Mode Boot

Event Triggered Execution: Component Object Model Hijacking

Event Triggered Execution: Component Object Model Hijacking

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32