Overview

overview

8

Static

static

3

4c651d5264...18.exe

windows7-x64

8

4c651d5264...18.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4c651d5264683e2d654ade96736517aa_JaffaCakes118

  • Size

    160KB

  • Sample

    240716-cng86atalf

  • MD5

    4c651d5264683e2d654ade96736517aa

  • SHA1

    3f719307c7f9f47e8b7b8cf4c181dd87f82befb4

  • SHA256

    383848a72073f274cc33b502030e13427981a6b144b26c8d70f4b7cf1afbbd91

  • SHA512

    abdf044c131c035b07637e2ca2df2ac770a3a056e900b62050e79c9e8eda9ea49564ccc6fd6296b60563f432c9b0d90cd5b4f47199873c51af0c927981905644

  • SSDEEP

    3072:h/SY8+c2xq3ddXJAB0wJAKyUvqolAnQ0gol06jykq1x4SA:h6Y8xTJAB0ebyU2nQ0gUHykq1/

Score
8/10
evasionpersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      4c651d5264683e2d654ade96736517aa_JaffaCakes118

    • Size

      160KB

    • MD5

      4c651d5264683e2d654ade96736517aa

    • SHA1

      3f719307c7f9f47e8b7b8cf4c181dd87f82befb4

    • SHA256

      383848a72073f274cc33b502030e13427981a6b144b26c8d70f4b7cf1afbbd91

    • SHA512

      abdf044c131c035b07637e2ca2df2ac770a3a056e900b62050e79c9e8eda9ea49564ccc6fd6296b60563f432c9b0d90cd5b4f47199873c51af0c927981905644

    • SSDEEP

      3072:h/SY8+c2xq3ddXJAB0wJAKyUvqolAnQ0gol06jykq1x4SA:h6Y8xTJAB0ebyU2nQ0gUHykq1/

    Score
    8/10
    evasionpersistenceprivilege_escalationspywarestealer

    • Modifies Windows Firewall

      evasion

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks