General

  • Target

    6d5d0869cf35cce167a449bc0507dede_JaffaCakes118

  • Size

    38KB

  • Sample

    241023-ghey3atera

  • MD5

    6d5d0869cf35cce167a449bc0507dede

  • SHA1

    502cf9dc76df7946588db0705587ac9eb131c30b

  • SHA256

    cb81a4ed85f64bf07cddf8134e4373a183da4200e54510b45107e59f9f008c19

  • SHA512

    399bfb6e41e6a97de72368330626796e039b52c4ba66637dced37a7e1823ea1ba8e660c592b04445ae488c80a4e0d6f60e966e1267f8110dcbd17fcdbe43a82c

  • SSDEEP

    768:N8JRCx+RrKADVwtkstDxnK95ZU+hIFGPtxdFghB:N8JPrKADeXqrhCcHQB

Malware Config

Targets

    • Target

      6d5d0869cf35cce167a449bc0507dede_JaffaCakes118

    • Size

      38KB

    • MD5

      6d5d0869cf35cce167a449bc0507dede

    • SHA1

      502cf9dc76df7946588db0705587ac9eb131c30b

    • SHA256

      cb81a4ed85f64bf07cddf8134e4373a183da4200e54510b45107e59f9f008c19

    • SHA512

      399bfb6e41e6a97de72368330626796e039b52c4ba66637dced37a7e1823ea1ba8e660c592b04445ae488c80a4e0d6f60e966e1267f8110dcbd17fcdbe43a82c

    • SSDEEP

      768:N8JRCx+RrKADVwtkstDxnK95ZU+hIFGPtxdFghB:N8JPrKADeXqrhCcHQB

    • Andromeda, Gamarue

      Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    • Detects Andromeda payload.

    • Adds policy Run key to start application

    • Deletes itself

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks