General
-
Target
ff5eecef1e1c10712a059a6bd8a3ca6a_JaffaCakes118
-
Size
362KB
-
Sample
240929-1jyx4s1hpj
-
MD5
ff5eecef1e1c10712a059a6bd8a3ca6a
-
SHA1
be501191585254f6796145c3158854a9fca29dfb
-
SHA256
1400e6cd20ba44c73eb70a4134ce3b8f9dacfde63ad3028b3a063ac1dd0e1598
-
SHA512
cfb19c3bc72b1c48047ef252bd1ed65dd4e854841c89d3c49e0cb053e408c55b3b7d0e9ba27cd405a7fd0f214c1451d764776ffe6f911e81291517ee95666e94
-
SSDEEP
6144:+YDhB6ActM8FbPt6a15RGkPNJAcb+k2WzoPiML3AYRYAe5mYklr7k96uAzdqfSJF:Z9BvctM85t35JPNJj2WzoRLQYRYzmYBM
Malware Config
Targets
-
-
Target
ff5eecef1e1c10712a059a6bd8a3ca6a_JaffaCakes118
-
Size
362KB
-
MD5
ff5eecef1e1c10712a059a6bd8a3ca6a
-
SHA1
be501191585254f6796145c3158854a9fca29dfb
-
SHA256
1400e6cd20ba44c73eb70a4134ce3b8f9dacfde63ad3028b3a063ac1dd0e1598
-
SHA512
cfb19c3bc72b1c48047ef252bd1ed65dd4e854841c89d3c49e0cb053e408c55b3b7d0e9ba27cd405a7fd0f214c1451d764776ffe6f911e81291517ee95666e94
-
SSDEEP
6144:+YDhB6ActM8FbPt6a15RGkPNJAcb+k2WzoPiML3AYRYAe5mYklr7k96uAzdqfSJF:Z9BvctM85t35JPNJj2WzoRLQYRYzmYBM
Score10/10-
Modifies WinLogon for persistence
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
Network Share Discovery
Attempt to gather information on host network.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1Modify Registry
6