General

  • Target

    e9b7bf47f725a750bc9f8c790c7c8154_JaffaCakes118

  • Size

    270KB

  • Sample

    240918-w1a56awfrp

  • MD5

    e9b7bf47f725a750bc9f8c790c7c8154

  • SHA1

    414a5390c25096fda62b8b4034889f866641bf58

  • SHA256

    f5c01695bc39eef4b4bf5b8b35771578551ca3e93fca52a448904af22749e01d

  • SHA512

    c3388ff1f33dec21be166624f9c7465bdac94db7915bd22c9f2b65d9d4bdcd9a718fefcabd9dc92839a0c57d7197da36f454bd237bd5866065e180055d78d6a8

  • SSDEEP

    6144:2s+IN9RS6LTa9Ar37L2We1zwYVlEkdqY/nMmS6H5el8BJN:3HMwm9AHebVKkdrH5eyr

Malware Config

Extracted

Family

simda

Attributes
  • dga

    cihunemyror.eu

    digivehusyd.eu

    vofozymufok.eu

    fodakyhijyv.eu

    nopegymozow.eu

    gatedyhavyd.eu

    marytymenok.eu

    jewuqyjywyv.eu

    qeqinuqypoq.eu

    kemocujufys.eu

    rynazuqihoj.eu

    lyvejujolec.eu

    tucyguqaciq.eu

    xuxusujenes.eu

    puzutuqeqij.eu

    ciliqikytec.eu

    dikoniwudim.eu

    vojacikigep.eu

    fogeliwokih.eu

    nofyjikoxex.eu

    gadufiwabim.eu

    masisokemep.eu

    jepororyrih.eu

    qetoqolusex.eu

    keraborigin.eu

    ryqecolijet.eu

    lymylorozig.eu

    tunujolavez.eu

    xubifaremin.eu

    puvopalywet.eu

Targets

    • Target

      e9b7bf47f725a750bc9f8c790c7c8154_JaffaCakes118

    • Size

      270KB

    • MD5

      e9b7bf47f725a750bc9f8c790c7c8154

    • SHA1

      414a5390c25096fda62b8b4034889f866641bf58

    • SHA256

      f5c01695bc39eef4b4bf5b8b35771578551ca3e93fca52a448904af22749e01d

    • SHA512

      c3388ff1f33dec21be166624f9c7465bdac94db7915bd22c9f2b65d9d4bdcd9a718fefcabd9dc92839a0c57d7197da36f454bd237bd5866065e180055d78d6a8

    • SSDEEP

      6144:2s+IN9RS6LTa9Ar37L2We1zwYVlEkdqY/nMmS6H5el8BJN:3HMwm9AHebVKkdrH5eyr

    • Modifies WinLogon for persistence

    • simda

      Simda is an infostealer written in C++.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Modifies WinLogon

MITRE ATT&CK Enterprise v15

Tasks