pandastealer

Sharing

Copy URL

Twitter E-mail

General

Target

6b9d5ed62bf77ebcf1d9a4ce12eeef6f_JaffaCakes118
Size

7.6MB
Sample

241022-w7fzzsydpf
MD5

6b9d5ed62bf77ebcf1d9a4ce12eeef6f
SHA1

53943e0e880f48cb530838bc0e451dd7d378a5cb
SHA256

84ba766b1f292df812017d9c8549bd1026fbdd12b3eabe0e9ad491774f175ab8
SHA512

cde30092b8fc560351d9284cfc5f3c1dacc61875312562376adc7372c7b877f4c1598777610bcc7d55b1d20b33a58509a52141ba6aaf034e3297e7d6395356ee
SSDEEP

196608:aK4OnILxFKkKUrMlXDnR/CQkrKsYNFWVpCmE3/ot1yORC:ppiFKkv+LRKgj/W+me/s18

Score

10^/10

Malware Config

Targets

- Target
  
  6b9d5ed62bf77ebcf1d9a4ce12eeef6f_JaffaCakes118
- Size
  
  7.6MB
- MD5
  
  6b9d5ed62bf77ebcf1d9a4ce12eeef6f
- SHA1
  
  53943e0e880f48cb530838bc0e451dd7d378a5cb
- SHA256
  
  84ba766b1f292df812017d9c8549bd1026fbdd12b3eabe0e9ad491774f175ab8
- SHA512
  
  cde30092b8fc560351d9284cfc5f3c1dacc61875312562376adc7372c7b877f4c1598777610bcc7d55b1d20b33a58509a52141ba6aaf034e3297e7d6395356ee
- SSDEEP
  
  196608:aK4OnILxFKkKUrMlXDnR/CQkrKsYNFWVpCmE3/ot1yORC:ppiFKkv+LRKgj/W+me/s18
Score

7^/10

discovery
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/InstallOptions.dll
- Size
  
  14KB
- MD5
  
  325b008aec81e5aaa57096f05d4212b5
- SHA1
  
  27a2d89747a20305b6518438eff5b9f57f7df5c3
- SHA256
  
  c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
- SHA512
  
  18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
- SSDEEP
  
  192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/inetc.dll
- Size
  
  20KB
- MD5
  
  50fdadda3e993688401f6f1108fabdb4
- SHA1
  
  04a9ae55d0fb726be49809582cea41d75bf22a9a
- SHA256
  
  6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6
- SHA512
  
  e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8
- SSDEEP
  
  384:jQB2ZUVHUxgoJX0eBA6PcH85db+ya9cC0Ac9khYLMkIX0+G5xgZmT+m//a:j/UFeJ5S6PHLNa9cFam/
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  AutoUpdaterUI.exe
- Size
  
  543KB
- MD5
  
  1eb6d8c97dbdf744b8710b8d3b283aac
- SHA1
  
  aab3a5c45acbc70be3744584ffefd5c154098c23
- SHA256
  
  629e963c16bd721bdde4525b32ac95b24c32502783697462f1f3a7c5e6a4820b
- SHA512
  
  4ef31a102e950b3091d6d02bb9ff1b9802b572ea57d5d1157ff7ec575ff6fa28c808470b497758a29c59bc337f7354de976a420f0a1ccf4fa7cdfa38735adc64
- SSDEEP
  
  12288:aET8IpX5GbYvJPIcjRDf6U98HqKRNTtONRQ6Zthl3iEPf:kEvb6qKRptqqiDN
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  Autoupdater/CheckUpdate.dll
- Size
  
  603KB
- MD5
  
  06f19f2c355ef2fc0f3c2e1f74856763
- SHA1
  
  5ea576bfe653df45b2613281bcba94c4f8b4e1cd
- SHA256
  
  0e8aae587cb416d2ad4b885ad1b21cf7242ee8d6ecdf6d3a2bb477636e2dcec6
- SHA512
  
  c0e713ae7396e1f76957d19dd9243033299d8ff7eed3dfb1b371ba4c0963dacead718c105496b990f383551e996cfbf1c2f0436b409614425bc97acb3b258e0f
- SSDEEP
  
  12288:Yn5u4wJ9V2LIH5WOglMBaVXfstROdM+QAbuuCgBDoy4kgEEPaqY:86J9VOQO9buuCgtoy9gO
Score

5^/10

discovery
- Drops file in System32 directory
behavioral10 behavioral9
- Target
  
  Autoupdater/DTLUpdater.exe
- Size
  
  455KB
- MD5
  
  007a609f86ea76fc835f807fff893f43
- SHA1
  
  f2d09eb12eb907e44543bde77b6ad155fb11df70
- SHA256
  
  52a4eff99fe5b2c3bbfc28e843c1336390c4a5358bafd4171e2031f290fe699b
- SHA512
  
  96da117e334dac8097c9f3bb32f3ee30db05cbfe596b5f1a9648efd24594e5df0df684759484b71bee416294e596a17be24a285e991b58d7f11c2689d198ae3b
- SSDEEP
  
  12288:D9V2LIH5WOglMBaVXfstROdM+QAbuuCgBDoy6kTEEPH:D9VOQO9buuCgtoyXTl
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Bind/AVCheck.dll
- Size
  
  131KB
- MD5
  
  2086aa8740f0223c3993d6336b1b9fc5
- SHA1
  
  8af4dacd14f7c50928a5dd5db2fa9473e15e5e0e
- SHA256
  
  1376018512203e69033c5928cceb6280cba7dba6874e55ef0f04bb2cf718b429
- SHA512
  
  7b67a32418baafd0d144fe17466e9478ea2bb73205a4c6dba0078d457ec5fe2766a8daf35af47296419ba5324e7f1273ddf280cfb98ac184b07fef45766f3e5e
- SSDEEP
  
  3072:BMdqtA14Ln+J7eIwGOIezIVlidzZ2YKul:BMw+1TAIwGwd+C
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  Bind/GetAV.exe
- Size
  
  63KB
- MD5
  
  c370f62105bf4e23ed840df1de7da9f4
- SHA1
  
  1200781e796bedde8957dd782156cee9a2e5302e
- SHA256
  
  79fc2ed2a2ee782a061405fcd52929f7d2603da3ee3c9c6755a07558e6789565
- SHA512
  
  5358d7ad82b217e21994f808a4fb75a287f4e0edb35209c58fc28d41dee36b9910102821bdd43a85cd849041b26afade757c5a182710181f3d1841b6638b4048
- SSDEEP
  
  768:1cpamL9gchqW0VVPL5UITZTjTzaLUodCPZE2lRtuiQ5dwsGCbCb:aLcW+lUITF/4UWCLRtuiQ5CqCb
Score

6^/10

discovery
- Checks for any installed AV software in registry
behavioral15 behavioral16
- Target
  
  Bind/HTTPDownloadUI.exe
- Size
  
  387KB
- MD5
  
  0d3386e738c27504326837a54faa6579
- SHA1
  
  4309d174b4628b98c2c712569a49e5bdb2ccad8a
- SHA256
  
  361d5676bf6b565d9d9de23a43983217c5ba1462e29cbabd6d500ec423d40e88
- SHA512
  
  ef7b3668ba2425032becd9d271014082e486483775df02470d70070dec4b6991fbf1e767b9314ff8fa7940b30276e3ded1dd321ae1397ff0bfbebff3468ae407
- SSDEEP
  
  6144:wZpjraFhbr8qKAABCOmsC9UBQ1XXE9WPmb/n4w73NQKJJPWEmZxX5/K/nU3YAEPd:wZpju8bCOmsC9UBikQ8QKJiZzl3YAEPd
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  DevCfg.dll
- Size
  
  111KB
- MD5
  
  20cb836b50c4276b5738ae7c12b36455
- SHA1
  
  e32c213aedaafecc1f02f7a95be556936771c97a
- SHA256
  
  d37212e6924cb04bfe444535bd68d1d7a19ac5c0d113a7e327a72c7e2a1f89bb
- SHA512
  
  f7b0c9e1a38f5390dfae53431f2fbc94357da5b027546cf151d76f5e624c9407240d179a8657ee41c875d75333ea57f4f0a16401d20068f719da06669ac6f997
- SSDEEP
  
  1536:MSFE5e8F/AS5t1npGSrxdJrBMRnpmQ/2ey5KHRTkAwAaZx8tSR3BFqCu:T+5e8F4it1nCRpmrgaZGtSR0
Score

5^/10

discovery
- Drops file in System32 directory
behavioral19 behavioral20
- Target
  
  DockHelp.dll
- Size
  
  87KB
- MD5
  
  26d6b281bc5fbf9953ed68e7d5e93cd2
- SHA1
  
  2d4d03303553eb4e770d7ef0e483ff778ee47972
- SHA256
  
  cf843a9e8ca6731ee40e695e2a2161400ceae6860507eb05eec2f211a840a2ff
- SHA512
  
  1c4ef5d8d8717fa9d131bed6bd681757325004add43453abef528ccbfd2b8ce756aae3d7033771259c4dbdefd9ef4b7fdafe3607d585d37d8aa6fa8af36ba231
- SSDEEP
  
  768:NW9fKBe+MM0fC13XWqHhj+0A8DUggGoynQuxIgHH/nG3AHcj2ky+NVtyk6Yke/oF:kGGhwW+j+u2ax5/ng4k2fStyk0ecqC
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  DockHelpex.dll
- Size
  
  60KB
- MD5
  
  bc7bc205bffb46c24ac034024d00fcfa
- SHA1
  
  194c2eab87edba8c627575e3198b4e9fcb24fdb3
- SHA256
  
  cca90757833a087aec35effddea2dc16196633eb1de5df8dbff1d6665a81e4a6
- SHA512
  
  da12046948aae7489647bc7b2b0fa7edb724caebefec5b60fa7810919700e54c4adb6c93ec2fe5587c9d2117a93a1b424b165e23632f18323950ce63cadeafd4
- SSDEEP
  
  768:O+dLGW8w4Zjorz+ChasbkVozEn+VBlAG7nDEDVyv1uFCNS91knRDsGCbC6:5L9yZjSTPkfnmB3jGCNa1kR7qC6
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  DriveTheLife.exe
- Size
  
  1.1MB
- MD5
  
  2d4b22597d208d56ce337398f2574c8e
- SHA1
  
  c676d6e8452ce43a1a69a97f767bad8c1daf68be
- SHA256
  
  6125f323bd28e7092d2e8191978fddad248a0d9899e7f4159dbc218c27128a33
- SHA512
  
  89f72fa6d26a9a6b610ab9b12378d6f2f39b71e2f917809f491419f6754301d349e8b9429604d0238da702eb5c70b858d1f72a22d00d876265d39e19bb36e83e
- SSDEEP
  
  24576:OAQkUx9yzj53OsPvz4jUkO07qElhSxdGi:4kUxKfP07qFxd
Score

10^/10

pandastealer bootkit discovery persistence privilege_escalation stealer
- Panda Stealer payload
- PandaStealer
  Panda Stealer is a fork of CollectorProject Stealer written in C++.
  stealer pandastealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral25 behavioral26
- Target
  
  hdaudbus.sys
- Size
  
  135KB
- MD5
  
  3fcc124b6e08ee0e9351f717dd136939
- SHA1
  
  4a4f29e427dc4a6e39eb43a12c78c4829711e86e
- SHA256
  
  ebfe0fb51e14570a1a1d64c8e5383f3ff28509361d13945b79a9c551eb522012
- SHA512
  
  6dc9a760b139f115392146c8831dccde15a18d7aea34d00e66700136364a190ee53d2d8bc875ce180d299ff165b725513f85065c9a7d7d8c57fbcdf62e2888a9
- SSDEEP
  
  3072:unARaxZAbEumXF/o4IYo4Y7BmWG2mWO+ueO+ueO+u7+HBm/i4zITL:unARaxKbJmXF/o4IYo4YtmWG2mWO+ueB
Score

1^/10
behavioral27 behavioral28
- Target
  
  Drivers/wnd7audio/SysFxUI.dll
- Size
  
  335KB
- MD5
  
  ce8685ecab192356a1ccd8946bc93daa
- SHA1
  
  c71bbc28ee270fb32e1267caf80713c1a1c07c8b
- SHA256
  
  6afe404bd9a3f4cdf0c4f8ca64ba9988762219d4c5573a268fb5e8a33bfafb4f
- SHA512
  
  c967da5be38a181ffb32ef5b70fcfb022ce2ed473741f00ea622be6e57062e8df98163e7db367f3b0b9788e7d18a8b2621f08162cb9f49add9bd1cde906f0344
- SSDEEP
  
  3072:zWOyuyOotvkTo9o0a1X6dAEdzf6qAwBsE1Jxd5KkyH:iOyuyOQcZ6hBf6qjBsMfyH
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  Drivers/wnd7audio/WMALFXGFXDSP.dll
- Size
  
  1.2MB
- MD5
  
  7434fe8c29e19a952367d9c0f96d7c0c
- SHA1
  
  aec687c54427c051b92c7fb51e65ad31a03b8f3e
- SHA256
  
  0a49274a2205df5ca751c2d4c5966f4d5c9482c73af39bce98d55487a21fde63
- SHA512
  
  2fbb0f671e3ac44bed3dd2bd9deaef662165faa5a6435740c6e89bdd2a3c504e6f33c68b98b8512e54e6910f65d669c88148b3ddc52510001c3fdee3b9387e4e
- SSDEEP
  
  24576:xDRswqbynSUxyn2zvvmvKze+wnm8vJ8vP/4H4wfgbIy:xt9qbySUxy2z1zeZjvmvP/4H4wfgbIy
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Loads dropped DLL

Drops file in System32 directory

Checks for any installed AV software in registry

Drops file in System32 directory

Panda Stealer payload

Blocklisted process makes network request

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Writes to the Master Boot Record (MBR)

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32