Overview

overview

10

Static

static

7

e436146aba...18.exe

windows7-x64

10

e436146aba...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e436146aba83ffa9447986735a5e8ea3_JaffaCakes118

  • Size

    303KB

  • Sample

    240916-hf657stcrc

  • MD5

    e436146aba83ffa9447986735a5e8ea3

  • SHA1

    eeb939e6b4c98f14ec92bd2e7e922c8de3f620d7

  • SHA256

    d3301b05904cc250f8f843e8631515bb9ddbf8c5836ca179c35694b21d2ba2af

  • SHA512

    a718c22a0d74542a0840f9eae2ca5b9744fb011a6549fec866e931da7c61edd9718bec14649668f775afd18507ebf9e7a25b02ef21debd41432b1f553c2a911a

  • SSDEEP

    6144:dmYRAYwCNVQHCY7G5qEueq7USzuV6DRaLk0EP4ceErU1cmy9:vmvCNECYi5fu97YgDRaLDEP4cfUTy9

Score
10/10
discoveryevasionlateral_movementpersistenceupx

Malware Config

Targets

    • Target

      e436146aba83ffa9447986735a5e8ea3_JaffaCakes118

    • Size

      303KB

    • MD5

      e436146aba83ffa9447986735a5e8ea3

    • SHA1

      eeb939e6b4c98f14ec92bd2e7e922c8de3f620d7

    • SHA256

      d3301b05904cc250f8f843e8631515bb9ddbf8c5836ca179c35694b21d2ba2af

    • SHA512

      a718c22a0d74542a0840f9eae2ca5b9744fb011a6549fec866e931da7c61edd9718bec14649668f775afd18507ebf9e7a25b02ef21debd41432b1f553c2a911a

    • SSDEEP

      6144:dmYRAYwCNVQHCY7G5qEueq7USzuV6DRaLk0EP4ceErU1cmy9:vmvCNECYi5fu97YgDRaLDEP4cfUTy9

    Score
    10/10
    discoveryevasionpersistenceupxlateral_movement

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Disables RegEdit via registry modification

      evasion

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Remote Services: SMB/Windows Admin Shares

      Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

      lateral_movement

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Browser Information Discovery

1
T1217

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Remote Services

1
T1021

SMB/Windows Admin Shares

1
T1021.002

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks