Overview

overview

9

Static

static

3

747af7ee58...18.exe

windows7-x64

9

747af7ee58...18.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    747af7ee58944a2f1ad8cbcac3b788a7_JaffaCakes118

  • Size

    2.9MB

  • Sample

    240726-r2354sxeqg

  • MD5

    747af7ee58944a2f1ad8cbcac3b788a7

  • SHA1

    fc5c44b83017339e07a386397f13d06939a5d8fd

  • SHA256

    026b73f612f4c1a9a6144aca74a0e17cd9b767e3b9547af4844c01a5dd31e0fd

  • SHA512

    fd406a2edbc4b8e4698ca593baac8f816707fb6e03a60d92cbd9e293b2406f75dc0e771eaff21c08bbcd359feb27011e25ebec8862927c666291e3f8db70c6ea

  • SSDEEP

    49152:fOvbJp7HMUgLNu6e4t8dmr2Ar7TRjGSHR4jA4/rmCE6uXuHj4AmS1a2bf:Wf7G46FtwmqU7TRB4jAg+Xu0s57

Score
9/10
bootkitdiscoveryevasionpersistencetrojan

Malware Config

Targets

    • Target

      747af7ee58944a2f1ad8cbcac3b788a7_JaffaCakes118

    • Size

      2.9MB

    • MD5

      747af7ee58944a2f1ad8cbcac3b788a7

    • SHA1

      fc5c44b83017339e07a386397f13d06939a5d8fd

    • SHA256

      026b73f612f4c1a9a6144aca74a0e17cd9b767e3b9547af4844c01a5dd31e0fd

    • SHA512

      fd406a2edbc4b8e4698ca593baac8f816707fb6e03a60d92cbd9e293b2406f75dc0e771eaff21c08bbcd359feb27011e25ebec8862927c666291e3f8db70c6ea

    • SSDEEP

      49152:fOvbJp7HMUgLNu6e4t8dmr2Ar7TRjGSHR4jA4/rmCE6uXuHj4AmS1a2bf:Wf7G46FtwmqU7TRB4jAg+Xu0s57

    Score
    9/10
    bootkitdiscoveryevasionpersistencetrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks