General
-
Target
8ae8f221fb119e8c381543c997b2247b_JaffaCakes118
-
Size
672KB
-
Sample
240811-sw27aszdje
-
MD5
8ae8f221fb119e8c381543c997b2247b
-
SHA1
aa9cb43884d89673a6cf6ef3211fc67dadd2df7a
-
SHA256
da97cccc9bbe5f6ac73c44ecbe00e30f03536a0e49ea70ea28b5ad64a578061a
-
SHA512
26bcbac7ebe36aaf52370ef5890a1438934d12c22daa31a40406d8b4f8abc6952dbaa793258b2d4f4f422f30e0f6c19de3b74191807dd3643b27cba149764045
-
SSDEEP
12288:8EBzeKFJivZle3xONl7slA2LTZ3hPFNImOM7Llt49DXW4Hxgv5UYxZSmLktq:31FJivq3xONln2LzPzImOult8DXWGU4+
Malware Config
Targets
-
-
Target
8ae8f221fb119e8c381543c997b2247b_JaffaCakes118
-
Size
672KB
-
MD5
8ae8f221fb119e8c381543c997b2247b
-
SHA1
aa9cb43884d89673a6cf6ef3211fc67dadd2df7a
-
SHA256
da97cccc9bbe5f6ac73c44ecbe00e30f03536a0e49ea70ea28b5ad64a578061a
-
SHA512
26bcbac7ebe36aaf52370ef5890a1438934d12c22daa31a40406d8b4f8abc6952dbaa793258b2d4f4f422f30e0f6c19de3b74191807dd3643b27cba149764045
-
SSDEEP
12288:8EBzeKFJivZle3xONl7slA2LTZ3hPFNImOM7Llt49DXW4Hxgv5UYxZSmLktq:31FJivq3xONln2LzPzImOult8DXWGU4+
Score10/10-
Modifies security service
-
Windows security bypass
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Sets service image path in registry
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks registry for disk virtualization
Detecting virtualization disks is order done to detect sandboxing environments.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
5Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1