69be1852895f5397617d57c01eb8c1fb22d059933cc2e6fb632e211e52dd8535

Sharing

Copy URL

Twitter E-mail

General

Target

763b789115183361ec77f88e75d4586f_JaffaCakes118
Size

1.1MB
Sample

241027-19l18svbrl
MD5

763b789115183361ec77f88e75d4586f
SHA1

69e2bad630243dfc47317d6af4a872faeb6ebe1b
SHA256

69be1852895f5397617d57c01eb8c1fb22d059933cc2e6fb632e211e52dd8535
SHA512

5ce4fe37f1fb4998888f8450a46c34055fc96b95d82fae5e3e0118f9e7a4a2b42aa683efc4d23f644fd18b7e444f799c38ed37eaab964c6dc3d23c914b382f7a
SSDEEP

24576:ttph7KFxrhvAyfXsa16+hq2EH7Se+at/v2sn/oEY:t/VKnhAmXDE+hniSJ0v2sDY

Score

9^/10

Malware Config

Targets

- Target
  
  winpirate-master/Run.bat
- Size
  
  74B
- MD5
  
  a3fe52842b1a0880f3e8796bf9d37b6c
- SHA1
  
  1a98470716912390c085d7b43bc0bda78d895904
- SHA256
  
  f0f732d890792b09a44d844418c03886450e1df73ff24ac7e079a05881ad90e9
- SHA512
  
  4fe05def88568016e4e90043868ff91eecf42aa32785810ed74f3d65025d08c1643659d9b61350b053b0fbf7f7dbab4617e81a49cfe566f01294db0d843917b7
Score

8^/10

bootkit discovery exploit lateral_movement persistence
- Possible privilege escalation attempt
  exploit
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies file permissions
  discovery
- Remote Services: SMB/Windows Admin Shares
  Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
  lateral_movement
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2
- Target
  
  winpirate-master/Stickykeys.sh
- Size
  
  260B
- MD5
  
  833d1bd2cc2cb09c55e0e1f997544c95
- SHA1
  
  911a48ddabb68cb4f453881b5d86a44ed6f88158
- SHA256
  
  667a6dfa4e2ed153fa8a4a7a17ef7ea627217924794eb144c4bcb1cbbbb14369
- SHA512
  
  ca04911078c84cf86cdd836ea7e6f7a31f877742b58afa61970bfc0f8e4a55156b115ea00191c488cd669bd7742d64b7e53eaf87c8700631c6ae7764f8a1d36f
Score

3^/10

discovery
behavioral3 behavioral4 behavioral5 behavioral6
- Target
  
  winpirate-master/Tools/Browsinghistoryview/BrowsingHistoryView.chm
- Size
  
  19KB
- MD5
  
  40a8b71d4470118f60980ae0a711df03
- SHA1
  
  0d712f1177f5d35427727cd527b070af8e7b893c
- SHA256
  
  ee5db85e5c8d6ce7b95d1a9c574e741b0a83866a124ddd5b7fe6c44057f3001f
- SHA512
  
  8e790a0cba46c9a7f2860367f3f7b539745f51687b37838e7ffbccc46fdfcd52e820686e8d079f01a1d3220cc97354fcc7572edd43ff08916e66aa72d51adf3c
- SSDEEP
  
  192:z8VRdJe4YxRZCEFhpY5yNB6I0H0itcWxhwbgee7S0VElJYWDaozwoLqId:z6RjGCQNBSZhwMglvzw7w
Score

1^/10
behavioral7 behavioral8
- Target
  
  winpirate-master/Tools/Browsinghistoryview/BrowsingHistoryView.exe
- Size
  
  351KB
- MD5
  
  18926758c88d56d0178670093f0f4fac
- SHA1
  
  63ad210d4c628eaecd6a63194f7c17d33eea851f
- SHA256
  
  2033380cf345c3c743aefffe9e261457b23ececdb6ddd6ffe21436e6f71a8696
- SHA512
  
  b38de35b0a12b8e3b7a151c2c0a730ff4bbc36d37d51a8168f54296f84337496234e9b58e2a12eeff9ed06eac38b1650829eb069e350385c62ccf6d9cecc4ad1
- SSDEEP
  
  6144:6vg/wvLP8X2xL5R4Y7Ieh2Mc2zAyPFpm+UXnwhtAtJhqq:6YYz7IFqAyPnGI07
Score

3^/10

discovery spyware stealer
behavioral10 behavioral9
- Target
  
  winpirate-master/Tools/Browsinghistoryview/BrowsingHistoryView64.exe
- Size
  
  472KB
- MD5
  
  09e77dd694e74f81da917e2288cd9f3f
- SHA1
  
  81a2b0989b75e4a1f3f056f219ca50d287a710c3
- SHA256
  
  906397a1765b82510679cb5b0f26ef1c8c89335c68f1d17178f924e5b2544454
- SHA512
  
  d139db4365be6e9b00caaaab2057046754346fec765e3427548e536338d1af9bde9a32c763772c33cd21464c3be3a7bf62094ffc0068bce0ee33258506a00c11
- SSDEEP
  
  12288:/yTjanq6iFHROuc4TpQopG0f0sGkaHVYP:/yTV3xZc4Tp5N0sGk6U
Score

3^/10

discovery spyware stealer
behavioral11 behavioral12
- Target
  
  winpirate-master/Tools/Chrome/chromepasswords.py
- Size
  
  2KB
- MD5
  
  a7ab03c97a2727609aedea614c2a1192
- SHA1
  
  888e900b3b70b61aa152ba29292f1c7ae807776b
- SHA256
  
  5bcb269feebb7fcd307cb03aa650e7e2db6e6a1b08ea4b70eb4ecef7ee17fe8b
- SHA512
  
  e45ec94c1a87f42bce0d97b665fa6a8262150b20a421ae099dcb57079ff34b04837c71c33cc1ac259f048bf9c2fce3c8ab4983c7b0ebd2375c241d7d8f9b7c89
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  winpirate-master/Tools/mimikittenz/Invoke-mimikittenz.ps1
- Size
  
  21KB
- MD5
  
  bdb28c5a180a1649e6411301eb94452f
- SHA1
  
  f8324684d3042e7cee8f1bc21ba89b2e8536b38e
- SHA256
  
  14e2f70470396a18c27debb419a4f4063c2ad5b6976f429d47f55e31066a5e6a
- SHA512
  
  a0f4e27b70d26569afaac2bce1c179dfc77db605bc75867682819263438ab2fa9479a290ff726e52dcbe2f9810648cc2037197cbd8691e280c849079ecb57b8b
- SSDEEP
  
  192:XmGuSnWGH0/7tSULU8doB3x0HNm0H8nU4L/k70GCB89W/SGZgggMGDAch1ZB9mH2:ySWGH6td48doB3x0HSU5pCBNSh01SPV
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  winpirate-master/Tools/winaudit/WinAudit.exe
- Size
  
  1.6MB
- MD5
  
  92ade3b6212b1e6ec3ee3a140cbf80ac
- SHA1
  
  2a6fe60418f85d42c04204063be3b23e23722b60
- SHA256
  
  56f4763af00801c5eb80c39f141a563069669def9f98c1798c0f4b4094f34821
- SHA512
  
  ec5bf40c6674959c2754ad72ef66b44b04d6dcf6c3a57d96416553e82fd54d241e16995a65dbd2c2c87b5e6724f0a9e2b09d7492cc9b3e109d62705c4b9d7ec0
- SSDEEP
  
  24576:UJ6mtXMwELTFr2YAPilNa7Dg7E5SRS5vg914lLihcRuyM1SOQj:mtXMjLJrzqiTOEMVflLi+RuyM1SOQj
Score

7^/10

bootkit discovery evasion lateral_movement persistence trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Remote Services: SMB/Windows Admin Shares
  Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
  lateral_movement
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral17 behavioral18
- Target
  
  winpirate-master/WinPirate.bat
- Size
  
  1KB
- MD5
  
  5010683e30216dfd169a298836d73b4a
- SHA1
  
  93c84c8b0bd9a4d426bb97419e26f668ef45b07e
- SHA256
  
  06aefdba2c0c7d69c2cdd0e1882fb8295d1b47348d1aced8156bfb3a6b3936c7
- SHA512
  
  ddd9c106f9f2aed6ede89127b049825931ece6479ef749faf23559a5af6e24cc1dc0f51d4e51495f06a728e7ca631664d7e39b80d595c4abd7d24547b4d7ac11
Score

8^/10

bootkit discovery exploit lateral_movement persistence
- Possible privilege escalation attempt
  exploit
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Modifies file permissions
  discovery
- Remote Services: SMB/Windows Admin Shares
  Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
  lateral_movement
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral19 behavioral20
- Target
  
  winpirate-master/hide.vbs
- Size
  
  78B
- MD5
  
  c578d9653b22800c3eb6b6a51219bbb8
- SHA1
  
  a97aa251901bbe179a48dbc7a0c1872e163b1f2d
- SHA256
  
  20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
- SHA512
  
  3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
Score

1^/10
behavioral21 behavioral22