Overview

overview

10

Static

static

3

a3b03e560b...18.exe

windows7-x64

10

a3b03e560b...18.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    a3b03e560bc4fc46804d888270b538ad_JaffaCakes118

  • Size

    96KB

  • Sample

    240817-xb31batdjn

  • MD5

    a3b03e560bc4fc46804d888270b538ad

  • SHA1

    f6bb7dd7bb7389de5c4e668846105cfab13db32d

  • SHA256

    d93b8d87ac6c48e1b14331a218059ebabe8e5d7234d87e5b69e7bbf75c45e140

  • SHA512

    5ff930f0421dd935932728839924ed1ebb9f387c94f07c60f1809293ce2c6df7a61f89a242e15d0e4530635fc9b35edcb4a0b5dab0414b35b28c390199637cf1

  • SSDEEP

    1536:ow/wREe2VS6lRD2J3d7nVSE2nZZ7wDrg5rgk1IbciOtRJR:owYD2VS6lRD2J3dVwZurgQbEf/

Score
10/10
discoveryevasionpersistencespywarestealer

Malware Config

Targets

    • Target

      a3b03e560bc4fc46804d888270b538ad_JaffaCakes118

    • Size

      96KB

    • MD5

      a3b03e560bc4fc46804d888270b538ad

    • SHA1

      f6bb7dd7bb7389de5c4e668846105cfab13db32d

    • SHA256

      d93b8d87ac6c48e1b14331a218059ebabe8e5d7234d87e5b69e7bbf75c45e140

    • SHA512

      5ff930f0421dd935932728839924ed1ebb9f387c94f07c60f1809293ce2c6df7a61f89a242e15d0e4530635fc9b35edcb4a0b5dab0414b35b28c390199637cf1

    • SSDEEP

      1536:ow/wREe2VS6lRD2J3d7nVSE2nZZ7wDrg5rgk1IbciOtRJR:owYD2VS6lRD2J3dVwZurgQbEf/

    Score
    10/10
    discoveryevasionpersistencespywarestealer

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Modifies WinLogon for persistence

      persistence

    • Modifies visibility of file extensions in Explorer

      evasion

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables cmd.exe use via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

8
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks