General

  • Target

    8ab8c04cb7e1dd0dfb028cf3d8fc31d3_JaffaCakes118

  • Size

    48KB

  • Sample

    240811-rs6vmsxfrc

  • MD5

    8ab8c04cb7e1dd0dfb028cf3d8fc31d3

  • SHA1

    aff86a7a95725d847de6cef3c4b5f7172fadca9a

  • SHA256

    b883f31603cb2cb788ce59f86f4319e2a0583df518f4002002b7e7fadbbef61a

  • SHA512

    656d9fd6e6cde69e4c03fb4c5f64a2d48f7eab1394857380ce32a03bca9ed4a12ac3a53c9ec7800d42b0d0973bbaa45cbce65e81e0772de4d94d2f586678a7ae

  • SSDEEP

    768:/ZfkCtqsgmUIrajPHDlL0Qu1UkKE98FSTksgHAZrijPHgUdmgdmmn8:hfdwsglPHR4cEGsghPHgUdmgR

Malware Config

Targets

    • Target

      8ab8c04cb7e1dd0dfb028cf3d8fc31d3_JaffaCakes118

    • Size

      48KB

    • MD5

      8ab8c04cb7e1dd0dfb028cf3d8fc31d3

    • SHA1

      aff86a7a95725d847de6cef3c4b5f7172fadca9a

    • SHA256

      b883f31603cb2cb788ce59f86f4319e2a0583df518f4002002b7e7fadbbef61a

    • SHA512

      656d9fd6e6cde69e4c03fb4c5f64a2d48f7eab1394857380ce32a03bca9ed4a12ac3a53c9ec7800d42b0d0973bbaa45cbce65e81e0772de4d94d2f586678a7ae

    • SSDEEP

      768:/ZfkCtqsgmUIrajPHDlL0Qu1UkKE98FSTksgHAZrijPHgUdmgdmmn8:hfdwsglPHR4cEGsghPHgUdmgR

    • Andromeda, Gamarue

      Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    • Detects Andromeda payload.

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks