a6e0ce289db711413ba5395a80e50a0ed95c3927448492d3ecde38506227c571 | Triage

Sharing

General

Target

1f9b619074e3ef7c19b296330e290dde_JaffaCakes118
Size

2.0MB
Sample

240702-rmcdvazgrr
MD5

1f9b619074e3ef7c19b296330e290dde
SHA1

8342d1aa1cef5d5d10ee68a4dfcca4de12599502
SHA256

a6e0ce289db711413ba5395a80e50a0ed95c3927448492d3ecde38506227c571
SHA512

3ae7ef2c3181b44816e0cb7186b113c8e99d97e06a56d7b4babf283cdc342f18273e39c66912c41bdbbabc62303bb8bb998cee9db0234847a521df46ae6784c6
SSDEEP

49152:DKqoP5uG7LG6sjWmlwsg7IklBKZICcDIGXQvh9zK4tMy+iZKnkJeYuFEb:DQP5uGvC9bg7DlBqICchX8W1iZgkJLuo

Score

10^/10

evasion execution persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://galaint.coolsecupdate.info/?0=154&1=1&2=1&3=35&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=vijldqbhas&14=1

Targets

- Target
  
  1f9b619074e3ef7c19b296330e290dde_JaffaCakes118
- Size
  
  2.0MB
- MD5
  
  1f9b619074e3ef7c19b296330e290dde
- SHA1
  
  8342d1aa1cef5d5d10ee68a4dfcca4de12599502
- SHA256
  
  a6e0ce289db711413ba5395a80e50a0ed95c3927448492d3ecde38506227c571
- SHA512
  
  3ae7ef2c3181b44816e0cb7186b113c8e99d97e06a56d7b4babf283cdc342f18273e39c66912c41bdbbabc62303bb8bb998cee9db0234847a521df46ae6784c6
- SSDEEP
  
  49152:DKqoP5uG7LG6sjWmlwsg7IklBKZICcDIGXQvh9zK4tMy+iZKnkJeYuFEb:DQP5uGvC9bg7DlBqICchX8W1iZgkJLuo
Score

10^/10

evasion execution persistence trojan
- Disables service(s)
  evasion execution
- UAC bypass
  evasion trojan
- Disables taskbar notifications via registry modification
  evasion
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Image File Execution Options Injection

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Image File Execution Options Injection

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

evasionexecutionpersistencetrojan