Overview

overview

10

Static

static

5

59acf29870...18.exe

windows7-x64

10

59acf29870...18.exe

windows10-2004-x64

10

Adobe-GenP-2.7.exe

windows7-x64

3

Adobe-GenP-2.7.exe

windows10-2004-x64

3

ETC1final.exe

windows7-x64

8

ETC1final.exe

windows10-2004-x64

8

XMRfinal.exe

windows7-x64

8

XMRfinal.exe

windows10-2004-x64

10

update.exe

windows7-x64

10

update.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    59acf298702bd7b13089a8883460fde5_JaffaCakes118

  • Size

    1.3MB

  • Sample

    241018-2h95estgqj

  • MD5

    59acf298702bd7b13089a8883460fde5

  • SHA1

    3d757f96fb6fa2b2020c3072f7dfebcaddca59ab

  • SHA256

    cae246e1b4386518005749ac3958c4506d448f1f7efdd49d839dd10a5e01be2b

  • SHA512

    6e2b0b52d498d3c77cba2fa1ce348d0c5d15bea12065df52209c312db28f7a783cdd05905a9b2b418f25d171266f173a14dd0b48721a24bac48dd461e268d52e

  • SSDEEP

    24576:seKBtGLmFZsPlMD7KleDlws8zqUNdKfYupom0LdeTUw1Z5gOENl2for92Pvolxv:seKBtfgG7KylX8FwUrdtw1zEL2for90e

Score
10/10
asyncratxmrigdefaultdiscoveryexecutionminerpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

service32.sytes.net:8848

Mutex

NFHaufhauiwfhawfw

Attributes
  • delay

    1

  • install

    false

  • install_file

    vmdservice.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      59acf298702bd7b13089a8883460fde5_JaffaCakes118

    • Size

      1.3MB

    • MD5

      59acf298702bd7b13089a8883460fde5

    • SHA1

      3d757f96fb6fa2b2020c3072f7dfebcaddca59ab

    • SHA256

      cae246e1b4386518005749ac3958c4506d448f1f7efdd49d839dd10a5e01be2b

    • SHA512

      6e2b0b52d498d3c77cba2fa1ce348d0c5d15bea12065df52209c312db28f7a783cdd05905a9b2b418f25d171266f173a14dd0b48721a24bac48dd461e268d52e

    • SSDEEP

      24576:seKBtGLmFZsPlMD7KleDlws8zqUNdKfYupom0LdeTUw1Z5gOENl2for92Pvolxv:seKBtfgG7KylX8FwUrdtw1zEL2for90e

    Score
    10/10
    asyncratdefaultdiscoveryexecutionpersistenceratxmrigminer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Adobe-GenP-2.7.exe

    • Size

      1.3MB

    • MD5

      6467e9dd5d86c741aed49060e6d3fcd2

    • SHA1

      a3c784836d993cc2cd9a9087a23559fa05567d02

    • SHA256

      7b8d9ff34315e1787cdb62e682b3ba8dedd9f28d7cd374afe057babaf335edd4

    • SHA512

      9f3b46f4b4c2839e2cd6c6ca2fb2b859af0e22a9c8276b26b32c83ca5f9d95c3cefb44cd82dc78cbe427de04e92e86ceface836f45c3263a8a5a1ca7c1dc48e7

    • SSDEEP

      24576:fRaZROMOm8FN7TjsPnzt2heeRhQbJEOeamXHeqtGHXR0LSeIU6:5kxOm+7TjsPnztyDMmaSHeqtyX8Sg

    Score
    3/10
    behavioral3behavioral4

    • Target

      ETC1final.exe

    • Size

      31KB

    • MD5

      e6eef993d7cdd5b5d3ba14c22ba7347b

    • SHA1

      921bcf0d4bf3fd3cebd706a6e9dfe3901e32caea

    • SHA256

      c84043ea0e8a98b478bbe03bfc16f0d64de4eb3e99ea5f7717b5d37843fe247e

    • SHA512

      f832a156d8bfb45a81806563265bc78712a3cdfe7217efdd7515d5a01b846416f362a41ea97037e02461ce971ce9548e4265a84baa480af05d36223e994272bf

    • SSDEEP

      384:mlkzbsJHRdKputWQjjNut9r/npRqUC3x1nSpPdk1AOPBmMai6iFQwCADa2JE6sO/:2kzbs1cEcnTr8nSEKOPBbaQFRlEs/3

    Score
    8/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      XMRfinal.exe

    • Size

      45KB

    • MD5

      34c74daeeaf8a3aab61553a507b329c7

    • SHA1

      8a28ede427de7fc4088a8ababe018c2284b93c2b

    • SHA256

      8ad91fe964e0a868a0260a6142a94a2b7fa930be6d79fff4dbe199f38f7be17b

    • SHA512

      114571ba25987bdbdb623d233bd9f52b9ff049ce52723cc0e68d715eed633c62b604e95ec8191e2bda10fe6aaa55d63ccbc1f9af36f2a6d11d2ac744ee2adf73

    • SSDEEP

      768:rkbsy4kAcpYHEX1DwaLwRpeP5YlsDpqcO6TlJmOh4bIDX3aan2yyhYnLNqgXi2f:4bsVcbNGcpjO4jmI4sKjyBNfXzf

    Score
    10/10
    executionxmrigminer

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      update.exe

    • Size

      375KB

    • MD5

      3ea6458b6a66860e0b494f4d23d80991

    • SHA1

      e32f4c1d1601997a6c3a5745de5be87b84ffb167

    • SHA256

      005e7927bf7df1153921f511ac3fe6527f039db911cec0d9ad7201bfa65054bf

    • SHA512

      44487f251fd8f9f0a0adfaf7da10da43a58d22b3332cf15a8d88a407c56838f331468eb249d995a28a57c0992361c810501c0062be53791d12000df267ab5cee

    • SSDEEP

      6144:kqzLj+4PhWh/WBdhK2f7qDyFNQwprWEBX5r95yIpFyBNhg5OD6t+hjCMSsCmvEs3:R3j+4YEB/K2f777prWEBD5nu+5OD6sYq

    Score
    10/10
    asyncratdefaultdiscoverypersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks