Overview

overview

10

Static

static

1

c4b5c43564...18.rtf

windows7-x64

10

c4b5c43564...18.rtf

windows10-2004-x64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c4b5c435640c8d3ff617c26aedc1ec71_JaffaCakes118

  • Size

    2.0MB

  • Sample

    240827-k8fj3atcmc

  • MD5

    c4b5c435640c8d3ff617c26aedc1ec71

  • SHA1

    7e0fb054a5e79c923de01262b603d3bf3da06c25

  • SHA256

    8cc49c2ec80f755f0301768a32fd5ba3ba84d21d9a5c4737137f5d1c28211c4e

  • SHA512

    f83687805172194210e8aff9a9bf32d968a6cedf79159be75bbb9b239260bbd605a08056d2424023aa547b36d7f994ae2257ca5c46fd5a37e8a186fb6aded944

  • SSDEEP

    24576:gopSTEOUpl4BSSJQ3x1JKzpYP9zr7gR4mRSc02IcFN8pKKx72vQ7Tt2tQRn1f6MQ:2

Score
10/10
betabotbackdoorbotnetdefense_evasiondiscoveryevasionpersistencetrojan

Malware Config

Targets

    • Target

      c4b5c435640c8d3ff617c26aedc1ec71_JaffaCakes118

    • Size

      2.0MB

    • MD5

      c4b5c435640c8d3ff617c26aedc1ec71

    • SHA1

      7e0fb054a5e79c923de01262b603d3bf3da06c25

    • SHA256

      8cc49c2ec80f755f0301768a32fd5ba3ba84d21d9a5c4737137f5d1c28211c4e

    • SHA512

      f83687805172194210e8aff9a9bf32d968a6cedf79159be75bbb9b239260bbd605a08056d2424023aa547b36d7f994ae2257ca5c46fd5a37e8a186fb6aded944

    • SSDEEP

      24576:gopSTEOUpl4BSSJQ3x1JKzpYP9zr7gR4mRSc02IcFN8pKKx72vQ7Tt2tQRn1f6MQ:2

    Score
    10/10
    betabotbackdoorbotnetdefense_evasiondiscoveryevasionpersistencetrojan

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

      trojanbackdoorbotnetbetabot

    • Modifies firewall policy service

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Looks for VMWare services registry key.

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Indicator Removal: Clear Persistence

      remove IFEO.

      defense_evasion

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

1
T1070

Clear Persistence

1
T1070.009

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks