Overview

overview

9

Static

static

3

c9db799db8...18.exe

windows7-x64

9

c9db799db8...18.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c9db799db8b3aa14aa4de462caad1d36_JaffaCakes118

  • Size

    446KB

  • Sample

    240829-3nbpgsyeqk

  • MD5

    c9db799db8b3aa14aa4de462caad1d36

  • SHA1

    756506b0c356e5a6cc48ca28cb3383a076b35bf3

  • SHA256

    07b4f8a1b8bdf86ebdfc857e2a878917edd9d83b65e676c6d172d7c6a21d00fe

  • SHA512

    3cb7c37ae428193aabd4a42d77833004a6fccf1253977f87c920163bf7a3bece9a67b4100edf0b3290079c01180488eea1b0df80afe60f8b0b08ad37d55289f7

  • SSDEEP

    12288:roPaG9botgjLgvhnTgTq/SR0L05kF/+QSs:roR9sijLS8W6c05kFmQf

Score
9/10
defense_evasiondiscoverylateral_movementpersistence

Malware Config

Targets

    • Target

      c9db799db8b3aa14aa4de462caad1d36_JaffaCakes118

    • Size

      446KB

    • MD5

      c9db799db8b3aa14aa4de462caad1d36

    • SHA1

      756506b0c356e5a6cc48ca28cb3383a076b35bf3

    • SHA256

      07b4f8a1b8bdf86ebdfc857e2a878917edd9d83b65e676c6d172d7c6a21d00fe

    • SHA512

      3cb7c37ae428193aabd4a42d77833004a6fccf1253977f87c920163bf7a3bece9a67b4100edf0b3290079c01180488eea1b0df80afe60f8b0b08ad37d55289f7

    • SSDEEP

      12288:roPaG9botgjLgvhnTgTq/SR0L05kF/+QSs:roR9sijLS8W6c05kFmQf

    Score
    9/10
    defense_evasiondiscoverylateral_movementpersistence

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

      lateral_movement

    • Indicator Removal: Network Share Connection Removal

      Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

      defense_evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Indicator Removal

1
T1070

Network Share Connection Removal

1
T1070.005

Modify Registry

2
T1112

Hide Artifacts

1
T1564

Hidden Users

1
T1564.002

Credential Access

Discovery

System Information Discovery

1
T1082

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Remote Service Session Hijacking

1
T1563

RDP Hijacking

1
T1563.002

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks