General

  • Target

    7d17a134fc4e8ac725230866fe17fe3d_JaffaCakes118

  • Size

    1.8MB

  • Sample

    240731-tq1xqaxbne

  • MD5

    7d17a134fc4e8ac725230866fe17fe3d

  • SHA1

    bc66b4142be0d528dfab255f83bbfd40b45cef4d

  • SHA256

    4a944953f27dbdfddb04b6eab50b981e7fcb8449b808d67f28cb519225a08787

  • SHA512

    4fd3dedd62a01f60a3819fb2b3961a645a47aaeb907e8a0a0441a234844285b984649db2a1d9c75a3c6bc9af970259474b00ed66e39dc1e18252a7b70cacfc3b

  • SSDEEP

    49152:pMrvKuOAkxDKy981+InEmxPwvGVmDSBOWn0EhG:pMrvPwxDKy981+KEmN/Vmsqr

Malware Config

Targets

    • Target

      7d17a134fc4e8ac725230866fe17fe3d_JaffaCakes118

    • Size

      1.8MB

    • MD5

      7d17a134fc4e8ac725230866fe17fe3d

    • SHA1

      bc66b4142be0d528dfab255f83bbfd40b45cef4d

    • SHA256

      4a944953f27dbdfddb04b6eab50b981e7fcb8449b808d67f28cb519225a08787

    • SHA512

      4fd3dedd62a01f60a3819fb2b3961a645a47aaeb907e8a0a0441a234844285b984649db2a1d9c75a3c6bc9af970259474b00ed66e39dc1e18252a7b70cacfc3b

    • SSDEEP

      49152:pMrvKuOAkxDKy981+InEmxPwvGVmDSBOWn0EhG:pMrvPwxDKy981+KEmN/Vmsqr

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax main executable

    • Windows security bypass

    • Modifies Windows Firewall

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks