guerrilla | 292cbf497b51fb90b770f93fd66d82c92eb82eb5ec87587d19129101c9282297 | Triage

Sharing

General

Target

LDPlayer9_ens_1552109_ld.exe
Size

12.3MB
Sample

240720-y9r65swgma
MD5

908e05bcf942179e42cac3cc4f9545fe
SHA1

bef82438f0881d828c625066464ac814ab8485ab
SHA256

292cbf497b51fb90b770f93fd66d82c92eb82eb5ec87587d19129101c9282297
SHA512

537e8810f8bc5aa7b599c9b7aed2de208ea0a9ca6d47914e260c257929b7cff913bd9777743940c98a4592b2e84d3af807c4a507680062b5e6c0dfcb6c85bf23
SSDEEP

393216:uLRWV+axbxp41TXj2w5311sHznZc+TEI4gw:EkVjbxWT6w5AbZbTNC

Score

10^/10

guerrilla discovery execution exploit infostealer persistence privilege_escalation rat trojan

Malware Config

Targets

- Target
  
  LDPlayer9_ens_1552109_ld.exe
- Size
  
  12.3MB
- MD5
  
  908e05bcf942179e42cac3cc4f9545fe
- SHA1
  
  bef82438f0881d828c625066464ac814ab8485ab
- SHA256
  
  292cbf497b51fb90b770f93fd66d82c92eb82eb5ec87587d19129101c9282297
- SHA512
  
  537e8810f8bc5aa7b599c9b7aed2de208ea0a9ca6d47914e260c257929b7cff913bd9777743940c98a4592b2e84d3af807c4a507680062b5e6c0dfcb6c85bf23
- SSDEEP
  
  393216:uLRWV+axbxp41TXj2w5311sHznZc+TEI4gw:EkVjbxWT6w5AbZbTNC
Score

10^/10

guerrilla discovery execution exploit infostealer persistence privilege_escalation rat trojan
- Guerrilla
  Guerrilla is an Android malware used by the Lemon Group threat actor.
  trojan infostealer rat guerrilla
- Guerrilla payload
- Creates new service(s)
  persistence execution
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Possible privilege escalation attempt
  exploit
- Modifies file permissions
  discovery
- Downloads MZ/PE file
- Legitimate hosting services abused for malware hosting/C2
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Subvert Trust Controls

Install Root Certificate

SIP and Trust Provider Hijacking

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

guerrilladiscoveryexecutionexploitinfostealerpersistenceprivilege_escalationrattrojan