0214d1d58efc92256a064dd0a0d0a58c66f576eb260812dbd4905fdde0011dc6 | Triage

Resubmissions

19-09-2024 23:39

240919-3ndh3sxfjj 10

19-09-2024 23:29

240919-3gn18swhmd 5

19-09-2024 23:28

240919-3ggl6awhlc 5

19-09-2024 20:38

240919-zeqkhazclq 10

19-09-2024 20:35

240919-zc3r2szbnp 10

19-09-2024 20:30

240919-zajldszamq 5

Sharing

General

Target

ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118
Size

212KB
Sample

240919-zc3r2szbnp
MD5

ec2453dbb46e27680ce11ee4d08137e0
SHA1

2831bdbbfc67cb405a2231ca7195f4040ee20d60
SHA256

0214d1d58efc92256a064dd0a0d0a58c66f576eb260812dbd4905fdde0011dc6
SHA512

1f2941be38a9fa7aaec3ad8e64b2c90074d6f4d2fad60a4377597ca422c29c4a49881b1cea598eacb3e41bda25cab616dbf659db99ad728afa89282e75495519
SSDEEP

3072:YLca+56U04VjKkXzpicDlsc3w5zaLjBet8AbWF:fjKkXzpicDGc0kBkA

Score

10^/10

bootkit discovery evasion persistence ransomware trojan

Malware Config

Targets

- Target
  
  ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118
- Size
  
  212KB
- MD5
  
  ec2453dbb46e27680ce11ee4d08137e0
- SHA1
  
  2831bdbbfc67cb405a2231ca7195f4040ee20d60
- SHA256
  
  0214d1d58efc92256a064dd0a0d0a58c66f576eb260812dbd4905fdde0011dc6
- SHA512
  
  1f2941be38a9fa7aaec3ad8e64b2c90074d6f4d2fad60a4377597ca422c29c4a49881b1cea598eacb3e41bda25cab616dbf659db99ad728afa89282e75495519
- SSDEEP
  
  3072:YLca+56U04VjKkXzpicDlsc3w5zaLjBet8AbWF:fjKkXzpicDGc0kBkA
Score

10^/10

bootkit discovery evasion persistence ransomware trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

bootkitdiscoveryevasionpersistenceransomwaretrojan