General

  • Target

    97ed728638392e0139d1a3009252acde_JaffaCakes118

  • Size

    441KB

  • Sample

    240814-2eet4steqk

  • MD5

    97ed728638392e0139d1a3009252acde

  • SHA1

    c2c2f636dbee6b459d7beb2183bc77f7dcc0425c

  • SHA256

    b1ff1921b85d37daac07335f5a88702103fdd681750cd7e4e9e16a2ed61dc8b9

  • SHA512

    29156db5385d9492b4929d655636d8119d8b66de3b4e460113644725290960d77aeb31d99cc705f1aedb429c3c6af64f771173806592450bb113f8814d554bb1

  • SSDEEP

    12288:k6Wq4aaE6KwyF5L0Y2D1PqLYxnaYgmloAE6t:ithEVaPqLYxnakloAn

Malware Config

Targets

    • Target

      97ed728638392e0139d1a3009252acde_JaffaCakes118

    • Size

      441KB

    • MD5

      97ed728638392e0139d1a3009252acde

    • SHA1

      c2c2f636dbee6b459d7beb2183bc77f7dcc0425c

    • SHA256

      b1ff1921b85d37daac07335f5a88702103fdd681750cd7e4e9e16a2ed61dc8b9

    • SHA512

      29156db5385d9492b4929d655636d8119d8b66de3b4e460113644725290960d77aeb31d99cc705f1aedb429c3c6af64f771173806592450bb113f8814d554bb1

    • SSDEEP

      12288:k6Wq4aaE6KwyF5L0Y2D1PqLYxnaYgmloAE6t:ithEVaPqLYxnakloAn

    • Andromeda, Gamarue

      Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    • Detects Andromeda payload.

    • Adds policy Run key to start application

    • Deletes itself

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks