Overview

overview

10

Static

static

3

44bc72ad57...18.exe

windows7-x64

10

44bc72ad57...18.exe

windows10-2004-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    44bc72ad57ce5e45eb35ce42c16ffc90_JaffaCakes118

  • Size

    271KB

  • Sample

    241014-3l6f3ssbrd

  • MD5

    44bc72ad57ce5e45eb35ce42c16ffc90

  • SHA1

    bf3ee43b94a9dad6b773029604c9126d9a7399e2

  • SHA256

    32c77bc36295b8d831729745a73e3f42f1e8fe224bacd3d41ecf9ec5a4bc25a7

  • SHA512

    b6b648ac64faf9eb171d7bd3f121471737a99d2dbf36954845a3c319a9d7944e93114bb8fdb291a878500f6572f3eb1999149f1c2fdd1943439fae1689de4927

  • SSDEEP

    6144:Zmrc/DZckkdTrkHWCdtCb9JHk/sRnAlkLoXdZk:Zmo/JMfFMwZnOiIjk

Score
10/10
defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan

Malware Config

Targets

    • Target

      44bc72ad57ce5e45eb35ce42c16ffc90_JaffaCakes118

    • Size

      271KB

    • MD5

      44bc72ad57ce5e45eb35ce42c16ffc90

    • SHA1

      bf3ee43b94a9dad6b773029604c9126d9a7399e2

    • SHA256

      32c77bc36295b8d831729745a73e3f42f1e8fe224bacd3d41ecf9ec5a4bc25a7

    • SHA512

      b6b648ac64faf9eb171d7bd3f121471737a99d2dbf36954845a3c319a9d7944e93114bb8fdb291a878500f6572f3eb1999149f1c2fdd1943439fae1689de4927

    • SSDEEP

      6144:Zmrc/DZckkdTrkHWCdtCb9JHk/sRnAlkLoXdZk:Zmo/JMfFMwZnOiIjk

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Adds policy Run key to start application

      persistence

    • Disables taskbar notifications via registry modification

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

4
T1112

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks