General

  • Target

    79dc38de4928d68d822eed4edf0fe8f4_JaffaCakes118

  • Size

    308KB

  • Sample

    241028-qryxza1aln

  • MD5

    79dc38de4928d68d822eed4edf0fe8f4

  • SHA1

    37d12135e4ea053524e822a601da8a995407d516

  • SHA256

    ebd07804f8890f0a70110a6a8eb86198624562c914c27b10b0124d94f25d1568

  • SHA512

    40c5c185df367ff341a51d2ff4753384ccdfabfe76f8c105b69cc65ee4145c9ba1cb2b280d2c5cca89a1b7867bf159263eb6c44a5e038a91cd73f4041ed72cc1

  • SSDEEP

    6144:pNmIIxxw/ZmdfE6FUaSLIXGj6tjJVGy4kjF0g7FnW:KPlFLlt4kJ0D

Malware Config

Targets

    • Target

      79dc38de4928d68d822eed4edf0fe8f4_JaffaCakes118

    • Size

      308KB

    • MD5

      79dc38de4928d68d822eed4edf0fe8f4

    • SHA1

      37d12135e4ea053524e822a601da8a995407d516

    • SHA256

      ebd07804f8890f0a70110a6a8eb86198624562c914c27b10b0124d94f25d1568

    • SHA512

      40c5c185df367ff341a51d2ff4753384ccdfabfe76f8c105b69cc65ee4145c9ba1cb2b280d2c5cca89a1b7867bf159263eb6c44a5e038a91cd73f4041ed72cc1

    • SSDEEP

      6144:pNmIIxxw/ZmdfE6FUaSLIXGj6tjJVGy4kjF0g7FnW:KPlFLlt4kJ0D

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

    • Ramnit family

    • UAC bypass

    • Windows security bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks