Overview

overview

9

Static

static

5

d28c4e1605...18.exe

windows7-x64

9

d28c4e1605...18.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d28c4e16057282d82489479a6e3b256f_JaffaCakes118

  • Size

    671KB

  • Sample

    240907-wtvwzsxclp

  • MD5

    d28c4e16057282d82489479a6e3b256f

  • SHA1

    1bf5d9be60c03b5822c3415be45de46da787cacb

  • SHA256

    ad849e1e9a804e98be2ab2a5df54552ea872c98d126c3a8da7b49d4fb7c7aaa4

  • SHA512

    23b7eb55bdacbddf7bdf90598e9e9fdbdad04d2f03a601d11a376f345f4a762bbf26da5f36e560fa4dd476a5ec46f8f4da565e54c6bd493251c80af42b8eee81

  • SSDEEP

    12288:YaWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8IPAhhpZC:PaHMv6CorjqnyC8IgtC

Score
9/10
defense_evasiondiscoverylateral_movementpersistence

Malware Config

Targets

    • Target

      d28c4e16057282d82489479a6e3b256f_JaffaCakes118

    • Size

      671KB

    • MD5

      d28c4e16057282d82489479a6e3b256f

    • SHA1

      1bf5d9be60c03b5822c3415be45de46da787cacb

    • SHA256

      ad849e1e9a804e98be2ab2a5df54552ea872c98d126c3a8da7b49d4fb7c7aaa4

    • SHA512

      23b7eb55bdacbddf7bdf90598e9e9fdbdad04d2f03a601d11a376f345f4a762bbf26da5f36e560fa4dd476a5ec46f8f4da565e54c6bd493251c80af42b8eee81

    • SSDEEP

      12288:YaWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8IPAhhpZC:PaHMv6CorjqnyC8IgtC

    Score
    9/10
    defense_evasiondiscoverylateral_movementpersistence

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

      lateral_movement

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Hide Artifacts: Hidden Users

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

1
T1112

Hide Artifacts

1
T1564

Hidden Users

1
T1564.002

Credential Access

Discovery

System Information Discovery

1
T1082

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Remote Service Session Hijacking

1
T1563

RDP Hijacking

1
T1563.002

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks