General

  • Target

    82335d4eeb36490bdb86308628aa4d48_JaffaCakes118

  • Size

    676KB

  • Sample

    240801-3qqlessgnl

  • MD5

    82335d4eeb36490bdb86308628aa4d48

  • SHA1

    ea6c3b339cc1f295057e967619cafe7c5d1f5e9f

  • SHA256

    a5479d518825e70a86607fa9ea141f446b97c83c963fe1fc508bc87930b47be5

  • SHA512

    7957dcdcb2f4d2052449541ede615f17284e78c8552f66e3eaba407002baad969a55e1de809397f357ca8806d58d628f09de679e3e9e92b8876a9ca4adcdd843

  • SSDEEP

    12288:13TdtLW5WIj1YSSdFxJhpvBSXyMzBUWb9lx/9AgHLo8OW+rB2:dDsj1dE5h5BcJ9nPx/igrp+M

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      82335d4eeb36490bdb86308628aa4d48_JaffaCakes118

    • Size

      676KB

    • MD5

      82335d4eeb36490bdb86308628aa4d48

    • SHA1

      ea6c3b339cc1f295057e967619cafe7c5d1f5e9f

    • SHA256

      a5479d518825e70a86607fa9ea141f446b97c83c963fe1fc508bc87930b47be5

    • SHA512

      7957dcdcb2f4d2052449541ede615f17284e78c8552f66e3eaba407002baad969a55e1de809397f357ca8806d58d628f09de679e3e9e92b8876a9ca4adcdd843

    • SSDEEP

      12288:13TdtLW5WIj1YSSdFxJhpvBSXyMzBUWb9lx/9AgHLo8OW+rB2:dDsj1dE5h5BcJ9nPx/igrp+M

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax main executable

    • Modifies WinLogon for persistence

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks