General
-
Target
305efd8a0813d6137905717404f55080_JaffaCakes118
-
Size
320KB
-
Sample
240709-pmg8zswapc
-
MD5
305efd8a0813d6137905717404f55080
-
SHA1
5f562bb803a979450f77cab880bdbd482a97d290
-
SHA256
7bad3075466bf0a7c4a51fc47beb48ed49fb60bff3c485be9693d399da106703
-
SHA512
529b5c16382d7c86e233936d59f688c1db009ec9600d88e976bb2dfefe6c31f63c362ab8041ca9b8eac19c02dff63c5ba1c2cb6c3e5d5427046e997b336ecf72
-
SSDEEP
6144:rTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:fXgvmzFHi0mo5aH0qMzd5807FRPJQPDV
Malware Config
Targets
-
-
Target
305efd8a0813d6137905717404f55080_JaffaCakes118
-
Size
320KB
-
MD5
305efd8a0813d6137905717404f55080
-
SHA1
5f562bb803a979450f77cab880bdbd482a97d290
-
SHA256
7bad3075466bf0a7c4a51fc47beb48ed49fb60bff3c485be9693d399da106703
-
SHA512
529b5c16382d7c86e233936d59f688c1db009ec9600d88e976bb2dfefe6c31f63c362ab8041ca9b8eac19c02dff63c5ba1c2cb6c3e5d5427046e997b336ecf72
-
SSDEEP
6144:rTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:fXgvmzFHi0mo5aH0qMzd5807FRPJQPDV
Score10/10-
Modifies WinLogon for persistence
-
UAC bypass
-
Adds policy Run key to start application
-
Disables RegEdit via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1