Resubmissions

04-09-2024 01:22

240904-brhtessclm 4

04-09-2024 01:13

240904-blfrwatbra 10

General

  • Target

    octo hates niggers.wav

  • Size

    1.1MB

  • Sample

    240904-blfrwatbra

  • MD5

    e06c2af9bd3623d93dad4c19fa90b88a

  • SHA1

    aae457d958f50416e1a1e6f2195e1c162e47abcf

  • SHA256

    7a3b253a53b43df9024c580b8797df22ac022cebddb9305ff77f2c0884dd6ddf

  • SHA512

    b5d73101ff3adabbe563dbf8c007f1279fc151c564d8563e5cb6a3a36eb354a177978225576d7bc1ebd428e8d80f9a73880ca221058babcb409a669da32ff30f

  • SSDEEP

    1536:53PiVM28r4hL0/yJPGw9mtJdNRvDuKjmK0yjWJOcaY:5aVM8hLgucNRruKCpiMODY

Malware Config

Targets

    • Target

      octo hates niggers.wav

    • Size

      1.1MB

    • MD5

      e06c2af9bd3623d93dad4c19fa90b88a

    • SHA1

      aae457d958f50416e1a1e6f2195e1c162e47abcf

    • SHA256

      7a3b253a53b43df9024c580b8797df22ac022cebddb9305ff77f2c0884dd6ddf

    • SHA512

      b5d73101ff3adabbe563dbf8c007f1279fc151c564d8563e5cb6a3a36eb354a177978225576d7bc1ebd428e8d80f9a73880ca221058babcb409a669da32ff30f

    • SSDEEP

      1536:53PiVM28r4hL0/yJPGw9mtJdNRvDuKjmK0yjWJOcaY:5aVM8hLgucNRruKCpiMODY

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (3758) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • mimikatz is an open source tool to dump credentials on Windows

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Event Triggered Execution: Image File Execution Options Injection

    • Modifies Windows Firewall

    • Deletes itself

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks