General

  • Target

    c06a884210dc1c4a2483bbc5493b7f58_JaffaCakes118

  • Size

    512KB

  • Sample

    240825-k7m8hswejd

  • MD5

    c06a884210dc1c4a2483bbc5493b7f58

  • SHA1

    df6c2e468b36ac0aa32654c2d72e73adebf96730

  • SHA256

    70d38cdc61c9cbc651d17dd7e2ed0fad2601387891d5b526934838b480021eae

  • SHA512

    c3f5aa897210888b6afeed30e3e8fa8f46a09852ad3ab78c8aad6317301b023c94378aa8a9676237d2157241fd00b7374eaf645a689c31c5c554af714602ade9

  • SSDEEP

    12288:b2iwn/ND7S3xI66S/H3UyKxWn2hJ+MRmhhhPUAglXU:b213Sed0Xjh

Malware Config

Targets

    • Target

      c06a884210dc1c4a2483bbc5493b7f58_JaffaCakes118

    • Size

      512KB

    • MD5

      c06a884210dc1c4a2483bbc5493b7f58

    • SHA1

      df6c2e468b36ac0aa32654c2d72e73adebf96730

    • SHA256

      70d38cdc61c9cbc651d17dd7e2ed0fad2601387891d5b526934838b480021eae

    • SHA512

      c3f5aa897210888b6afeed30e3e8fa8f46a09852ad3ab78c8aad6317301b023c94378aa8a9676237d2157241fd00b7374eaf645a689c31c5c554af714602ade9

    • SSDEEP

      12288:b2iwn/ND7S3xI66S/H3UyKxWn2hJ+MRmhhhPUAglXU:b213Sed0Xjh

    • Modifies WinLogon for persistence

    • UAC bypass

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks