General
-
Target
6f5dacb7767c14b66459cf46151e35fe_JaffaCakes118
-
Size
495KB
-
Sample
240725-nhc8sswcmj
-
MD5
6f5dacb7767c14b66459cf46151e35fe
-
SHA1
9573bada998152e2d13d8384f4f710a05a0f8eb6
-
SHA256
429cc0a6fe75a25f540d8605315c7bbd6d1e97fb792cb8d5e7e07865f2112e90
-
SHA512
a1836575fc520ddffd4746553ecd2de2f546d23174b1c5b995a942243534fe948482947a98165da58adb47cf755f4b7c9a70148f45acd8af4b35db38f351eb1e
-
SSDEEP
12288:6Cw8LQjKKxvUGGAUzMmt8i/GTlPCFAbkIZ9nnqYL:Vf8dxUGGQhiuT9dQIZ8
Malware Config
Targets
-
-
Target
6f5dacb7767c14b66459cf46151e35fe_JaffaCakes118
-
Size
495KB
-
MD5
6f5dacb7767c14b66459cf46151e35fe
-
SHA1
9573bada998152e2d13d8384f4f710a05a0f8eb6
-
SHA256
429cc0a6fe75a25f540d8605315c7bbd6d1e97fb792cb8d5e7e07865f2112e90
-
SHA512
a1836575fc520ddffd4746553ecd2de2f546d23174b1c5b995a942243534fe948482947a98165da58adb47cf755f4b7c9a70148f45acd8af4b35db38f351eb1e
-
SSDEEP
12288:6Cw8LQjKKxvUGGAUzMmt8i/GTlPCFAbkIZ9nnqYL:Vf8dxUGGQhiuT9dQIZ8
Score10/10-
Modifies WinLogon for persistence
-
Windows security bypass
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Modifies Shared Task Scheduler registry keys
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
8