General
-
Target
oh no.zip
-
Size
607.9MB
-
Sample
240927-yxpv9axcpp
-
MD5
d2f3e3224e3880b935fddcf9c028d88e
-
SHA1
526bfb47d8bd3834c508c2af3acd04fcec603502
-
SHA256
18787f859db9b4df0cf089d0a8d3229847300b22ee1e5c6f2c1f34d2013b6cc6
-
SHA512
86f388e2a1fc14fc97f429001556c6b994827905486d7398e0be931c3c78e4fd4a035183cf5cf4e035b60ef2d5341d6a96f65574471d86d3e1a80c1677d6f04d
-
SSDEEP
12582912:GyBC6vFaxboAPzxahwHlxHVfyV8ZyqsKb8bqs0qs63FDnR3:zTMloMzx1jHVKV8ZdsAs7s6xR3
Behavioral task
behavioral1
Sample
oh no/Permanent Spoofer/Spoofer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
oh no/Permanent Spoofer/Spoofer.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
oh no/Permanent Spoofer/spoofer.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
oh no/Permanent Spoofer/spoofer.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
https://github.com/romkatv/powerlevel10k-media/raw/master
Extracted
https://downloads.malwarebytes.com/file/adwcleaner
https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe
Targets
-
-
Target
oh no/Permanent Spoofer/Spoofer.exe
-
Size
2.7MB
-
MD5
812b3e8694648f3049a0cb27f89aaedf
-
SHA1
aaefe708a73044e855e3b2fec29267cc975f70ca
-
SHA256
9cf81914030b67759112485c3f7fbf66286edd38e9a8bf93b5543e0cff582bd2
-
SHA512
56dbbcd0db89fc62deac4097ba8bc4d2fff59c02600a17a1e0983b39d08c717f227da43843de791f2f8884c471488b546b7bf979bc973ce00d4ac05aa1c43740
-
SSDEEP
49152:WXzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEVSV33:WXzhW148Pd+Tf1mpcOldJQ3/V0
Score10/10-
Modifies visiblity of hidden/system files in Explorer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
oh no/Permanent Spoofer/spoofer.exe
-
Size
157KB
-
MD5
407f16d056d7bbfc4f50042565aaf71c
-
SHA1
183a360c72e6fe19e367acc3a63fc64b7b987747
-
SHA256
fcd04587bc69ac61f1d59897fb35f248a1f97a3549df838d00321d73d65fe570
-
SHA512
6829e640918a28017e44c69647f8842825b5161b710afcee315c5afdad52248925912fb0614767d4b911712a7608a1a9a68a992a6121fcba2f785c131895e271
-
SSDEEP
3072:dDAikNUWzo0qGzruZW0qM05mw1mJTQSaMm5/6nHeeP1Gp:5AqW0pdxWlqeeP1Gp
Score4/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1