Overview

overview

10

Static

static

3

6fbfe6a44d...18.exe

windows7-x64

7

6fbfe6a44d...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6fbfe6a44dde69c6fabe54177c72723b_JaffaCakes118

  • Size

    337KB

  • Sample

    241023-tfamsa1ajr

  • MD5

    6fbfe6a44dde69c6fabe54177c72723b

  • SHA1

    a0a6e5d842c14d8ab45422b79488fd6164c95295

  • SHA256

    5d12608efb8d25cd671f6060d391d66f68323cc78c5475c39e227b7af3a5ad2b

  • SHA512

    86b3d62eee58afd0c0e71e2e8e1b654e8b1255040ae288380729e96fef48e8b3acaf816b0f5b9cb42e8d24cffa254467a9f088c88f34b6a1c8f4cf7eb81a33bf

  • SSDEEP

    6144:Mak9hyxEXYGc7q7vqO6eun45AjuQgIPcIiwrqrnbjXz6zc9aLL+eUTZ9oO8KbFil:MkxEXT7XIAAGkqb36zVeTZ+O8GFsP

Score
10/10
bootkitdefense_evasiondiscoveryevasionpersistenceupx

Malware Config

Targets

    • Target

      6fbfe6a44dde69c6fabe54177c72723b_JaffaCakes118

    • Size

      337KB

    • MD5

      6fbfe6a44dde69c6fabe54177c72723b

    • SHA1

      a0a6e5d842c14d8ab45422b79488fd6164c95295

    • SHA256

      5d12608efb8d25cd671f6060d391d66f68323cc78c5475c39e227b7af3a5ad2b

    • SHA512

      86b3d62eee58afd0c0e71e2e8e1b654e8b1255040ae288380729e96fef48e8b3acaf816b0f5b9cb42e8d24cffa254467a9f088c88f34b6a1c8f4cf7eb81a33bf

    • SSDEEP

      6144:Mak9hyxEXYGc7q7vqO6eun45AjuQgIPcIiwrqrnbjXz6zc9aLL+eUTZ9oO8KbFil:MkxEXT7XIAAGkqb36zVeTZ+O8GFsP

    Score
    10/10
    bootkitdefense_evasiondiscoverypersistenceupxevasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Process Discovery

1
T1057

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks