e4b7bcb99c192f64d4e6c3edabd664fc9ebe878910cf34cd835c7460cf975d97 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

e22cab6dd53b2cbba41ba9d1595836e3_JaffaCakes118
Size

9.8MB
Sample

240915-lgmdzaxdkn
MD5

e22cab6dd53b2cbba41ba9d1595836e3
SHA1

cd4198970b42fc91b7f46c62a6c5a21790c9520d
SHA256

e4b7bcb99c192f64d4e6c3edabd664fc9ebe878910cf34cd835c7460cf975d97
SHA512

88acfc983025a317fe2214fd683016cd1878cb60b920323f116aa42d86709e23624bf195e59cd48727713d00fad7d2cd6ebe14c0ccde87bedea9452e01ee97d3
SSDEEP

196608:VelOL9o8QKUzQqqUGmRC6Lokq6552O2Km1wO00oG5pTlFlXVCpyt1WOmqER2Nz:kOKHdzqBTJsZDOtlTlFlnt0Ozi21

Score

7^/10

bootkit discovery persistence upx vmprotect

Malware Config

Targets

- Target
  
  e22cab6dd53b2cbba41ba9d1595836e3_JaffaCakes118
- Size
  
  9.8MB
- MD5
  
  e22cab6dd53b2cbba41ba9d1595836e3
- SHA1
  
  cd4198970b42fc91b7f46c62a6c5a21790c9520d
- SHA256
  
  e4b7bcb99c192f64d4e6c3edabd664fc9ebe878910cf34cd835c7460cf975d97
- SHA512
  
  88acfc983025a317fe2214fd683016cd1878cb60b920323f116aa42d86709e23624bf195e59cd48727713d00fad7d2cd6ebe14c0ccde87bedea9452e01ee97d3
- SSDEEP
  
  196608:VelOL9o8QKUzQqqUGmRC6Lokq6552O2Km1wO00oG5pTlFlXVCpyt1WOmqER2Nz:kOKHdzqBTJsZDOtlTlFlnt0Ozi21
Score

7^/10

discovery
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/InstallOptions.dll
- Size
  
  14KB
- MD5
  
  8d5a5529462a9ba1ac068ee0502578c7
- SHA1
  
  875e651e302ce0bfc8893f341cf19171fee25ea5
- SHA256
  
  e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790
- SHA512
  
  101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462
- SSDEEP
  
  192:W4n3T5aK+dHCMR1aQR9RuZl3WWmU7WYZsw1JpVGnrjAK72dwF7dBOne:3n3T5KdHCMRD/R1cOnrjA+BO
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  FM_Client.dll
- Size
  
  9.3MB
- MD5
  
  b433480aa2576b45745197cc5fcf2379
- SHA1
  
  c52d484948e35c72a90ed2c775c253c3991aa2f7
- SHA256
  
  be9edf99011456f4a9c6a8dd81cc7d9943a449d6ea757eafb2f627c4090e9eb7
- SHA512
  
  2cdacb0f970740ec166a345b1930fb3842f93cc56b6d64c305cd77e764acf7c09a9b65bbc87bf0ae24b745faac3c15fb8c83685bfb4994c5b75020ed584e2b76
- SSDEEP
  
  196608:ujAcZuedsLqRNBbwcAc9JV2pb/l+rc3TEH0lBAD2tvdYfDMabXnFbUiUpY:CHsLqbVV2pbN+g3T9BAD2ofDMabXFbUi
Score

7^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral5 behavioral6
- Target
  
  Fts32.dll
- Size
  
  34KB
- MD5
  
  949be8e6edb6f6da87af667987518687
- SHA1
  
  8fcd56530fd2d035158911fbb5702de6f00e09ac
- SHA256
  
  4f597fad6f23f39754ea8dc2dff79dec9de92c162823c33ec73b59f145ff1cae
- SHA512
  
  dc3ffd4d706efa0c53807bcd450511c073bba28ac2b2323164d6755c035c414ca051407695ee6a2789ee2353e745827dd6c7a719872ef95078a303be6d027c82
- SSDEEP
  
  384:5jj6YDBpawwN2Hc7A44QBQQou/VVQgWemO+Ig5ks9Ay2D7DHFjQreOW5rG5L/UBx:R6YDOjk44+QQou/QD9yrKrjUF
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  WhatsNew.rtf
- Size
  
  49KB
- MD5
  
  3f685bf99784804580b6a4043c8abc02
- SHA1
  
  4aeb581dda2a879dc003537db761402050520034
- SHA256
  
  1f943b913667dbdcb65ee7839b2f90fc77c72e70ac4a59943771e599cb48986e
- SHA512
  
  a96e5f779760e7fc2181eabb1dbfc9175d8a224033018397cb8a0adcf51d02b1121e41004542e752fb31306f9ab2a78bd6680fa677c9b3674ce17daf8651a78c
- SSDEEP
  
  384:IJghAZfrFEufvQoIk5qQZFp1NF2j6oZORISM1A/krSFxuCxzESzZw2:ip4VjrP+bHt
Score

4^/10

discovery
behavioral10 behavioral9
- Target
  
  fm_client.chm
- Size
  
  281KB
- MD5
  
  4ce04e706c94b8e1198d2ccba91e79fa
- SHA1
  
  c746f1748e568b8322e92f50b21fb7fb8d70f5bd
- SHA256
  
  9bbf3f96510cb6615ad17e3f01a55c851d0bb2d8c6ad2fdc19282e4d1ef03adb
- SHA512
  
  b8785add919a87e16fac281ccffe7a1e742d3f6b9776e4bfb6aa0ffae822d0af49a616ce5a318119edb58354030ece36c2cf92be555794d0dda98e87486bf5ac
- SSDEEP
  
  6144:9dyb6RZI26v8sBycd8tA5G9bTeQF73B4R:y5Lv87cWdTn7Ry
Score

1^/10
behavioral11 behavioral12
- Target
  
  fm_client.exe
- Size
  
  341KB
- MD5
  
  dd72809749cda5dfc6f8c6cc34116fe1
- SHA1
  
  7bedda259c173e14bdde9eb7e243f14fe6bd2ad2
- SHA256
  
  34d76572949133ee9f785d4f4a9862a7b2c2cbe2174b4adfb53198c4972a2fc9
- SHA512
  
  7e92b3bd1bf8b4b87b956a2e7d5dd858fdea3712d78af02f34b1629192df278ede81aef3845eec1ea4297a4639f32af8df772439bc339ebc3cb2953f008a32d3
- SSDEEP
  
  6144:oekd9k7xS2fNBO+WFhEbkwPXRf6rIiTyTF1AUtrlL1AGEotio6v8m:oTQVz70hekwZGGp1tth5tio6vd
Score

7^/10

bootkit discovery persistence upx vmprotect
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13 behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

bootkitdiscoverypersistenceupxvmprotect

behavioral14

bootkitdiscoverypersistenceupxvmprotect