General

  • Target

    3f3ad2ecae96a7640ec6f0272a7626b9_JaffaCakes118

  • Size

    7.4MB

  • Sample

    240712-22pb3avblj

  • MD5

    3f3ad2ecae96a7640ec6f0272a7626b9

  • SHA1

    cfe1ca816755f04c055a8d238a0077aeb3b22cf1

  • SHA256

    f7d20a05b51c7896cd9a716f55e983e43b02390d042642c0969bffff478e14b3

  • SHA512

    64a3d9519d3c5ba92ef738a17313900516fbad977f32d7549b1ec47373d8ca8dac5cfef493b924664738d42e489a59c95ee01a40a57b1e3f34e655eed374f2ea

  • SSDEEP

    768:xvEk/bzQ7RlxhvtpjRR7ePoxBz1d4oJoobHYJJSmjppwIiSTsWbR3b+xhv97jZ6L:xJF

Malware Config

Targets

    • Target

      3f3ad2ecae96a7640ec6f0272a7626b9_JaffaCakes118

    • Size

      7.4MB

    • MD5

      3f3ad2ecae96a7640ec6f0272a7626b9

    • SHA1

      cfe1ca816755f04c055a8d238a0077aeb3b22cf1

    • SHA256

      f7d20a05b51c7896cd9a716f55e983e43b02390d042642c0969bffff478e14b3

    • SHA512

      64a3d9519d3c5ba92ef738a17313900516fbad977f32d7549b1ec47373d8ca8dac5cfef493b924664738d42e489a59c95ee01a40a57b1e3f34e655eed374f2ea

    • SSDEEP

      768:xvEk/bzQ7RlxhvtpjRR7ePoxBz1d4oJoobHYJJSmjppwIiSTsWbR3b+xhv97jZ6L:xJF

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Turns off Windows Defender SpyNet reporting

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Orcurs Rat Executable

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Windows security modification

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks