General

  • Target

    43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118

  • Size

    4.7MB

  • Sample

    240714-cf12asvdrb

  • MD5

    43d963bb3d6d59917024fbcd50eebaac

  • SHA1

    848a6799540049d5054bd4a9d43521cdcfbf2ea8

  • SHA256

    d2cd99f2ffcad6cc11d3798ad269c5a711ac9a9bd445e940df99b65d8b095d4b

  • SHA512

    efef3abf5c0106b2278fe8701e77a5fdf5aa02da979f70379240d07df3763de84244a1376c958c0773404201b122952dfc9a8b8cf97898c35ee88c6c3dc946c0

  • SSDEEP

    98304:i/W8zYD3JB9+RdcrhzBNmG5DFzD2DhLJFg4mYfU93YjIPR4t263ez3xQiqAQ7BS:i//E3JBsRdmzBAu+gE+RJ2xvFI

Malware Config

Targets

    • Target

      43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118

    • Size

      4.7MB

    • MD5

      43d963bb3d6d59917024fbcd50eebaac

    • SHA1

      848a6799540049d5054bd4a9d43521cdcfbf2ea8

    • SHA256

      d2cd99f2ffcad6cc11d3798ad269c5a711ac9a9bd445e940df99b65d8b095d4b

    • SHA512

      efef3abf5c0106b2278fe8701e77a5fdf5aa02da979f70379240d07df3763de84244a1376c958c0773404201b122952dfc9a8b8cf97898c35ee88c6c3dc946c0

    • SSDEEP

      98304:i/W8zYD3JB9+RdcrhzBNmG5DFzD2DhLJFg4mYfU93YjIPR4t263ez3xQiqAQ7BS:i//E3JBsRdmzBAu+gE+RJ2xvFI

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      33KB

    • MD5

      c6e1bd79c42fae30f95db66d168ca034

    • SHA1

      7cdd4a01b55b5e99b3f007e67c0f403e996af456

    • SHA256

      4f13328bf6a006897b0ea5481a27fc96bc1edcf7eeb9816023f583471af2d5bb

    • SHA512

      3b3214907be4c54362d615cdbe1dd7993fe825c8ae8cca76c8e27549bb3155a9c4970c2cf2711a97bf280f1958cf1aa41864226e2a68d32e6343c3704a9856f1

    • SSDEEP

      384:pbme/+uycTFC1zedCa2pbzDgp4CZkGTTh26rK+KtbQyhPE:piuycT01zedCa6bwp4nLZ

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      28KB

    • MD5

      67377462619cd6b7ebdf4acd85e9dc7a

    • SHA1

      9d9578c9d8581e1374395e3944f3ccbb166909ae

    • SHA256

      6e4870c69662ef7832535668b9a44c093eb971711ca8695b4daa7f5af6c5c96f

    • SHA512

      0f552487f38fa25937096fec0f6bb2f7de707d980db681f600f93596043533e8618b76cdfd7aa43aaebf45ee019682ac85b700e774c44d55c2a4c86a08afaa2f

    • SSDEEP

      384:0vbX+g+YpnOkBTGyRXWqluRWspXEB67Tyg+:bg+YFTBxR96zW

    Score
    3/10
    • Target

      Acrobat2Dict.dll

    • Size

      15KB

    • MD5

      baea06bd593b34e67bfa64ecb25ca5b3

    • SHA1

      0702e9e89d0699bab1250e756a4ac1de55963df8

    • SHA256

      ee7032ef0abf34e87d3225fceea2dc2381ed793ab898ab30c807e8fb929c50b4

    • SHA512

      951b2e8b8b50ddf0218078d77bf6b3f85ff7e4d5d7914de0fd9c9679c986fd52c9462a9e6cdf1099e5c32f7037de7f3290b7a85bd05a27b0f8bdab5a51ed5094

    • SSDEEP

      192:zVeBIHeJiIL5gxrtifxGz4Oa3Xz6Akpbk8pFf3eyowJL/8Qpkqs1IO8Lk5+ebCf/:FeQIL5gxYfOWj6LXb2YJLu1qabCZh

    Score
    1/10
    • Target

      RunDict.exe

    • Size

      361KB

    • MD5

      ad2960fde1e77cb9f59ba8ebde31b73a

    • SHA1

      93bffbd719f2017beece3dcabe2e5a5b093d7844

    • SHA256

      791597b08e6d3f2358ce6ceaab6abc94c030da7ee9b22baf594c58f8d1f6b040

    • SHA512

      00369da06d7e22104821cce62e1398a1625acb8f0d21b28d9b507ba092c8069314a810558c67d9762f0708fae77673e253153c92569acef7a1c30f00a6e7a7ac

    • SSDEEP

      6144:ueoo4DrmbppQbNWDf79h5L0lvfW1NGu/HhQ1UCDICJlhM8:2Dr2ppQMcvfW3DHhQ1J5hM8

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      TextExtractorImpl32.dll

    • Size

      137KB

    • MD5

      b31cd29ddde252ee33a8f0e9e5717597

    • SHA1

      4c9d57a30ca956818390268ba05aa1c73ce914ee

    • SHA256

      82a56ed85159f91ce37499a615c498fa28b19d2dc3cc3c17c73f01b9a2b341ad

    • SHA512

      c4ace3248cf854075926bf3ffe1aae415a4ff84ef0ab9de9a3f25555713ac49b8d4c3cdba70046ae260621847ff0b3e0880b4d8484f50bb2d6815592aca58b9a

    • SSDEEP

      1536:1fAkwn/zRC9OGhvzPGShipqKdIhbM3j+VoytDQXpSaaBCv6:uk0Cz3TbM3CVPtDmpyU6

    Score
    1/10
    • Target

      TextExtractorImpl64.dll

    • Size

      177KB

    • MD5

      7da77931e37e75e125b45e8178a11926

    • SHA1

      fe9f4775d1dc47e56870cac0f279b3d0387eae42

    • SHA256

      f3579609f1beacae23d0e1c32833c1f46ea1fe56686e1c99d728d181c0d0fd15

    • SHA512

      7f1d48ae2716dcb1faffbb6df7798c21638c80d5aa4f63a88d8d721a2eed2d6accac6bbb4d917ab0e2d5c5be77cf29c0775dc8e47fd94c9b0c51033e4a0029cb

    • SSDEEP

      3072:L5aXkG7qAvcjMMcO9Hc+k5cNkNmt/f9H0D6iTbdFLB0TuWQSHkoPBBivURSBc3yd:LcXkGl7mtt668LwfEuBiRo+3FmEx

    Score
    1/10
    • Target

      WordBook.exe

    • Size

      1.0MB

    • MD5

      8f53c2d99bfa673b55166bcf1ff7d7da

    • SHA1

      926c2a8973e865e97bc8efd2853fe452baf1de9a

    • SHA256

      3c427a32b5f6d01035fbf6ef41e24cec36dbd6bdf2623e92415b3db38cf29c7d

    • SHA512

      06eea32886ed3b710c7ec794296c7cb7aadb82cf8e6efd24e4c7e3441dc32ae17a56b169df5763988ef77cc392e4e54e95abbe89e8886c3450bb0957c82e589e

    • SSDEEP

      24576:0r+oR7XHVaUOt/5pUrbeUAyQ4m2n9OB2U3EZVm54g2Tfj1WwYkSwTBFB:MZ9RQLc9TUmTfj1vSwTBFB

    Score
    1/10
    • Target

      WordStrokeHelper32.dll

    • Size

      61KB

    • MD5

      e3f08af060c913fa3948fcad85edd343

    • SHA1

      b5d1b0273972be14502ee79bcd5bf719436c26b0

    • SHA256

      37f5775a2e00da7cea3b690e5550d8a6549c2606d14a4cfa43c5f2fc184ebcb6

    • SHA512

      dfbe89b323057439bb6e1927abe040aecc1087b4d5096da3fd64c831069cd41ac5fc348de5c617329934a744a8221901cf1b48035e6b5ae78ab0a3dbe0fccc24

    • SSDEEP

      768:diDc9QH0zkuqVGg2WDW4NKZ5ec7JtVtStLWRbCF:dzir2wWH5ec7htwaBCF

    Score
    1/10
    • Target

      WordStrokeHelper64.dll

    • Size

      53KB

    • MD5

      8357d6cfc7c77548ba4a17d75783dd99

    • SHA1

      6cf7b405875a1d2de3839b9c91170da36879ed96

    • SHA256

      88c877999dbaaf3a14cc392396aaeaad6fadbcf10db71f72aee08d0d495d8a9f

    • SHA512

      eff88cabed1d966a8ec2a051cb45f60b43df6112be8c264d12d3caceede4d1355788eaf5a336244fb1dda011f03a96b54b8a687b36d6f70649defe43e7b2518e

    • SSDEEP

      768:fS9xVf4n/RL2oMtl3llHfbsgg/i265ZOvSAo1LwFLWRbCE:K9nwnKDfbsg8i2UZOKLwFaBCE

    Score
    1/10
    • Target

      YodaoDict.api

    • Size

      176KB

    • MD5

      f644fd525eb7a16842963458f95a8f24

    • SHA1

      9fd9bad66fd39348dbb1faa58b8e3841663acdb4

    • SHA256

      378c1de993cbb32e9cf8663b1c20986733da5e8755649eac1dee2938332fc319

    • SHA512

      0436cd4a2302953900e2a5799f1585682f22f39cce54bc0e9ff9a48338056ba3853af04bdc6ae8c4304305ff70d4a094723188da197cca25b66ef9404fe3c0a9

    • SSDEEP

      3072:ZzER4JNNQhBs+F41DFa4R+egVGZq6AR06HNAt5iS2:ZzER4JNNmFkDFv+en6a

    Score
    3/10
    • Target

      YodaoDict.exe

    • Size

      1.6MB

    • MD5

      c7ed7d11c78afcff633ad5109445820f

    • SHA1

      fac007401a37d621f32c4ee7e426c153dc12203e

    • SHA256

      99c01ecce6c52ab30736b74c4fd519298b133125b7c2b2c0926763d0f471818a

    • SHA512

      e4ff7760844dbb0c284c7d200eaf95520c7291e6a932289d5b098521e4b759ae4d44390c0dd59b039a8111e892a11872f70f6839126fd3d93e7c4790130d9061

    • SSDEEP

      49152:U630lcQUu3NRT7onBeBXAzYLMRA6jmHrkoJh+5daJXlID:P1QUudIBeBXAzYLMRA6jmHrkoJh+5da0

    Score
    4/10
    • Target

      YodaoOcr.exe

    • Size

      341KB

    • MD5

      53689889820b832ecff70281c0536f8b

    • SHA1

      8fd2aea0b132e12920950152f75e914484e37b2c

    • SHA256

      cc4bfcf13fcd690af6e765a1f0873304db73cc8ba1c538a2a868e60735f42058

    • SHA512

      66a37c85fe4ea2157e7941e418b121d3d4ee231e9c7dfb8c4064a212d416b1ad5b5f12656c2b1a6adfb82b93262f04929a53a74d56ad4612d9f5e2c7d8f07dd0

    • SSDEEP

      6144:gd9qzAqMoCx5t/bpD+RNu6pL/uWV44DkkkkkkkkkkkkHkkkkkkkzKwBjkkkkkAkQ:gqMLL/9D4Nu6o8DkkkkkkkkkkkkHkkkH

    Score
    1/10
    • Target

      YoudaoEH.exe

    • Size

      603KB

    • MD5

      d7b369d9e61e5e44cfad4aa8749fc3ff

    • SHA1

      504851505764cce84efc6566f96358746aad9427

    • SHA256

      69849f427bfcf43b434826f13b8704dcd3062b73c01515822082ee2e8bbb8049

    • SHA512

      9beb5f32fe798a98e876713abb5ab2220d4b4fff06f3b8409860e191c27f67c438805e4886159ebd4d424c423534c1c412ac30665dfd5ae033afbd13fdd32a4e

    • SSDEEP

      12288:aWdX9+ftO60VoNjJVeOgxkUA3z8DkkkkkkkkkkkkHkkkkkkk2ikkkkkAk8kkkkJP:dWtv3VJVeOOQObK

    Score
    1/10
    • Target

      YoudaoGetWord32.dll

    • Size

      301KB

    • MD5

      defdfacb94569297bd74cdce30d014f1

    • SHA1

      29424c26e644dd97b345d7c91b025a65d93d6605

    • SHA256

      7a0fc662db1894071eb3a2b83e0d8c9f00b7ef2604b7aa903ba44f51ced452b1

    • SHA512

      d4e4e37763628bd7757cfa23a88b1cb5cac77c2d89eb8a3030de535203a2e6a3da1b2a1fd4cf7bd183f48cdaa24ad19f1c754da11d83be966f94c3eae73ca6fe

    • SSDEEP

      3072:auyM3vAi0H92IIvvYGfw3Nq+r1+PvvXVEQnNubLin9vSw/az15atltQYVa:aV1vqhDn08vFrtRa

    Score
    1/10
    • Target

      YoudaoGetWord64.dll

    • Size

      481KB

    • MD5

      7e12d51099017eafdf2b7626c514dce4

    • SHA1

      f84a8c654e2ec5e080cea767a44a2d2a803c1e66

    • SHA256

      0114d12aae2ebbfabda09a8e02a1bcffb91e4dce863c1c86b4668436aee50f57

    • SHA512

      c85df7920f76a750af966067a16cafd5acd4fdf2f2514824ad4fa8d7d1bfc487eece0d735c2bb4da685a26d12b383f9f4598e72c17e7dad9a316fccbc1ddedd8

    • SSDEEP

      6144:FnNU7JVDcXhSpr/I5Wez9ap1hhBtWp+UBYw0gEanuGOHZOvHJfWo5HqOuGl6Y:FNlRS+WM9e1rBta+UBYwTOHk7F1gY

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

discoverypersistenceprivilege_escalation
Score
7/10

behavioral2

discoverypersistenceprivilege_escalation
Score
7/10

behavioral3

Score
3/10

behavioral4

Score
3/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
4/10

behavioral10

Score
7/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
3/10

behavioral22

Score
3/10

behavioral23

Score
4/10

behavioral24

Score
4/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

persistenceprivilege_escalation
Score
7/10

behavioral32

persistenceprivilege_escalation
Score
7/10