Overview

overview

10

Static

static

3

Picture14....ok.exe

windows7-x64

10

Picture14....ok.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dc4bf78a933364ba70039d7531c15f6c_JaffaCakes118

  • Size

    270KB

  • Sample

    240912-psnyqavenc

  • MD5

    dc4bf78a933364ba70039d7531c15f6c

  • SHA1

    08bd87f215d99a1db79311afd642acd2f91c126c

  • SHA256

    9b10ca8ccfd0a8d33317b5b7d50c90c73a34a3e1b44fbd617cf082c3e020f4a8

  • SHA512

    784deb30459aed04e50b5f4372cc6c65abcce8f8df34ca2a6a4d6ea4abd211952d65df42901a388c29ab5a11680c6d1627eaa85e49de6a353555d95f2d834082

  • SSDEEP

    6144:sgnHvErvVdZsLOpEccV5fQb/yGENz3F2TymR:sSHvETVdZsLOpNcVC/yvNzcTj

Score
10/10
bootkitdiscoveryevasionpersistenceprivilege_escalation

Malware Config

Targets

    • Target

      Picture14.JPG_www.facebook.com

    • Size

      632KB

    • MD5

      ec06e9ee54f8534beb35f45f03ac0cbc

    • SHA1

      cafbd83e346dcddc4af59875327f84ab3641f9a2

    • SHA256

      e2009a0f31f5fe1183422a7c19820105e53303e66580fedae69ece82520f56f4

    • SHA512

      c4ef1b6325bbfaeb3d8d6456ef45f871c5eb962c2114c1dcee01ef12ecdb77cddf4a677d5322df3e80be3df921b64ad805512194b1fd6cc2a6d66377fd54708f

    • SSDEEP

      6144:k2uNyWziInfDncpVARIVKgjYLduXexcFy9L7LOpmccV5GwqNnN1GeWsitgQCk8nY:wKpVIYjXexcQL7LOpbcVHqRNAY1

    Score
    10/10
    bootkitdiscoveryevasionpersistenceprivilege_escalation

    • Modifies firewall policy service

      evasion

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

2
T1562.004

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks