Resubmissions

02-08-2024 20:00

240802-yq2w8sshph 3

02-08-2024 07:24

240802-h8rafssern 10

General

  • Target

    GorillaLocomotion.unitypackage

  • Size

    11KB

  • Sample

    240802-h8rafssern

  • MD5

    00868c9fd9a235abd264a6dfd1989442

  • SHA1

    bfc26299a36d8c914b3e2dcfe5fb9853e8489feb

  • SHA256

    fd25f6525440ccb59b3d8bb0a69d673f78f761c21ba456f4149fdf3de4df2d82

  • SHA512

    e77b3f4264a2a69828c3b5b929c10ae72a6f6a0cbf3f96f8f855ca0cf72207ac1bb50ef68f225d1f3514553713c41c3925b6213da3a093901c27d4ffcd2547d8

  • SSDEEP

    192:CB7hd5uc/RZmkBluqzhyuGldQ5bOeWRo2R2i7ZlGp4CSXJzWwilyB6zz:oBuGRZm8BzhyXlO5dWRoBiOpYXtlSykX

Malware Config

Targets

    • Target

      ce5c2251d70caf148bbad13bb99ebf54/pathname

    • Size

      50B

    • MD5

      e9aef410c36b93cce19cc1509bf8b7eb

    • SHA1

      d1ac4ad8c2e5e00dc3ce8474e3a46aafc9256075

    • SHA256

      4a0966095b487a6ee34363a0006c1fde655b3897008451bf827d72fdc70a818d

    • SHA512

      682b75565b4c40308cd1a00ec40b2a82e2a6ac797d5bfb42f33ef25c07455f3c455bcab336d76cb38849b964abe22858ac49ff872c995e776db2ca621da76575

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks