General
-
Target
ad8183cd69f77628678d89101044f634_JaffaCakes118
-
Size
772KB
-
Sample
240820-cnbflsyeng
-
MD5
ad8183cd69f77628678d89101044f634
-
SHA1
14e63e28af45e1988638e7b85baf6d41fdd9e2c9
-
SHA256
66a457bd13c522aa53140b46eb6d88ea6a4dce680e687f2dd551270b422b93e8
-
SHA512
247105cc8b737c487d0c5296c46dc1bbd763417ce2121ab22cd5300b5976b07e982ee8b5e48bb71761f5a86256dfe9577eda3a973844ed84597b9a1aa93fbdb2
-
SSDEEP
12288:CMrF7ZstZYmUr+TI/vgPJAKljjeV6HD3Fip6tocb2w/glyuY6ICZdlyQhFvm1akT:dixAdQRAWveE0wucSWglyuuCZqVd
Malware Config
Targets
-
-
Target
ad8183cd69f77628678d89101044f634_JaffaCakes118
-
Size
772KB
-
MD5
ad8183cd69f77628678d89101044f634
-
SHA1
14e63e28af45e1988638e7b85baf6d41fdd9e2c9
-
SHA256
66a457bd13c522aa53140b46eb6d88ea6a4dce680e687f2dd551270b422b93e8
-
SHA512
247105cc8b737c487d0c5296c46dc1bbd763417ce2121ab22cd5300b5976b07e982ee8b5e48bb71761f5a86256dfe9577eda3a973844ed84597b9a1aa93fbdb2
-
SSDEEP
12288:CMrF7ZstZYmUr+TI/vgPJAKljjeV6HD3Fip6tocb2w/glyuY6ICZdlyQhFvm1akT:dixAdQRAWveE0wucSWglyuuCZqVd
Score10/10-
Modifies security service
-
Windows security bypass
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Sets service image path in registry
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks registry for disk virtualization
Detecting virtualization disks is order done to detect sandboxing environments.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
5Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1