General
-
Target
r77Rootkit 1.5.2.zip
-
Size
830KB
-
Sample
241029-aggmyaykew
-
MD5
e35fb35b4031269ef3b37247d561a9ba
-
SHA1
95dd7ba15205a297bfa0312415f6f57a74f8193e
-
SHA256
2a3ceec046fc5edd6e1d5f5f6d6fbb591217977a0967e6b0b5ad52c0229c6aad
-
SHA512
9d9ab799e9cd80f44b2c3c0f4728a01abc4b5bd8b144412a8df85208bd7d8f08c7a55b220e98d425af7706fbbeb6e28d6c46b7178c57c4268830258cee70cf6b
-
SSDEEP
12288:9+LV15m6ZnHCfsC6ubY7UZYPAK0Wyd//rah9/kBu9qV7a6nLXy5HJXi4nvU/57Bu:MLVbNwau7nKIVehp54cpXil1ELprLIc
Malware Config
Targets
-
-
Target
$77-Example.exe
-
Size
47KB
-
MD5
b503babbbac8d370ca0de5752ada2eb7
-
SHA1
5995adbe90e6fbddae320d7af780749918f86c46
-
SHA256
c0a64062375a690c4b7c3dda242973fb3e342f7e611ca7e9e5ee0398b8e7f435
-
SHA512
a0ee4bb021bee3651144caf13a1235dd46c5a4f13239364db97ec355381e7b8d37e3c40813c1e1c217d51e81cf2348ffdfd148e2a75dcd12559f6419b4798181
-
SSDEEP
768:OLA8Bd9tqyt4m52qJWXcm4owy78Lw8Vd9OPyt4m52FJWXcm4oq:OE87Dqe49JDwy78Lw8nkPe49WDq
Score1/10 -
-
-
Target
BytecodeApi.UI.dll
-
Size
76KB
-
MD5
0ee5c134de6df52fdda8b3be2e3198ba
-
SHA1
50a67723030e2e2c653cc659db49ab3e7170c692
-
SHA256
ee475b056cb651e58bba55568e07caf8d26fb38c3ed7e0399e4188febe127825
-
SHA512
405b6b8217f61806caa7c4c41e5bcbfa32c781d99c493d27ef22c26c0140ff9f2fb95ad5ce8465f31a3f4c3fbc6a2dcf4372a1a15766e95be15c139ad6dc0dfe
-
SSDEEP
1536:K5hDKEtqZ7gVv6JCk6cM6QWAvDy8LKajPAeMb7cO:wRKEtqvkcM6QWOAeccO
Score1/10 -
-
-
Target
BytecodeApi.dll
-
Size
317KB
-
MD5
5330f2ca77ea587a1a3d14da9a623498
-
SHA1
ae469532f64a2c4d9347e1879b6599cdb487248d
-
SHA256
16e2c2c38922ada41528faf33db72027b1fdddf696d901ff9bf7cc443ec5c9ca
-
SHA512
bbfc4c84e4b26f36419357b8ab53ea124c0715de36bde9efca0c755ac0ad6c0ef6ad13e9606f74a346798364704d7f01c51f7bed114ee12ad1f0de180fe45bdb
-
SSDEEP
6144:/XgB4q/DyNPto9yc+1/vsd8DjpwUnvosdiboO6k4Z1a3x:SN/DyZ10d2lwYZHs
Score1/10 -
-
-
Target
Helper32.dll
-
Size
8KB
-
MD5
ef7a000bee8770cd0d2b480632421458
-
SHA1
65683ecb8208f64520c9c8c19418d8fb95abcd35
-
SHA256
6485ea559bdbbff1fd5386644ea4f7ea6e9afbcbb1028d13d8f2ebbf216857da
-
SHA512
e3c6adda760d8fef58bbe3f459397244f801b240a71c6c2223aa08876dcfcf5fa994aa3bbacbbf1d6eebd761b75833a8e7d45812322fa28b364dab12c1b0b02d
-
SSDEEP
96:OjPnfEKYppLhLLbgORiWGLPuua79SO6rq9WMb5V5t83M5oYL3iZjZAF3hsxb5:0n9G9hLLkRF0uTg5lvb3KAHsxb
Score3/10 -
-
-
Target
Helper64.dll
-
Size
10KB
-
MD5
abda48204fcff3e06637a4fe8d169b6f
-
SHA1
fd792beced0977aa9095d66410803bb1758ff5af
-
SHA256
8eb0b160f927ef53bcd050d54066a9a9e50ab4006af674d89a94d994b9c09451
-
SHA512
31f556842ddace8c89e852e05cc9d54ed33a28cc7237ac22f6c25fc2c77e16fdb51be63bb9552f8696e54f54f55d47988cc2a59fd3db796e2ecc3fd82dacec04
-
SSDEEP
192:l6HK4aI/apUuxpSCillaiZsYa6KCQCoyG7AyOqM9PD:l6HK4aI/iU8Fgl3ZU63G9OquP
Score1/10 -
-
-
Target
Install.exe
-
Size
163KB
-
MD5
1a7d1b5d24ba30c4d3d5502295ab5e89
-
SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563
-
SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
-
SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
SSDEEP
3072:TQpsSyjlzA664oL8tIoDJxGtIVORPrdAHjl3+uwF+iBDZ/wXxnTFKe8kaz:TQpsSyjlzfnoNGxGo6PrdAHwtMxn4e8N
Score10/10-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
TestConsole.exe
-
Size
262KB
-
MD5
1f195793c2802ebeddcdb1b13f23476e
-
SHA1
216efe9bcd245350baf37d5bc3b5073cdb5f2e31
-
SHA256
cae860044d6969b1e7540c97eb7371e4df1be08b1caaab64424425aa7a23a6ee
-
SHA512
4f6ec7e606d6e12a17083fc6aa21ca3f5d523d7ab6ea41d939708bff0f8ca540e442789b658c239c089f20d0ce40fdac1426d64757859e166a96dd9ed499eece
-
SSDEEP
6144:VybkRvlY/lWqgYiwRVi8O2JQ2366PvbfhssEA:GkRsq2JQ23PPvzhD9
Score3/10 -
-
-
Target
r77-x64.dll
-
Size
145KB
-
MD5
9fc46e9e9259dd82c72f0c01adab7e87
-
SHA1
c6d3fcd895aa332cf266f967940379ded55ad441
-
SHA256
1b485ebeb910f35ddb8db2a1225b4049fcf8281404cc39e532148cf7b654d589
-
SHA512
1322695b117f76e0c29cdc54015ec43fdcce6b9294a42fca42db5226ade28be03dfee8afe4818631c60c568a8ecf25715e3846236c3c9a790aaa9b80243aaa76
-
SSDEEP
3072:dj3jo8M1zrdJOPBVjt511aFwxIfMLeUB4wJ812U5:Y8PBVjB4F+IUJ7i
Score1/10 -
-
-
Target
r77-x86.dll
-
Size
109KB
-
MD5
38fc10fa0e887853119850c77e6067d5
-
SHA1
5bca8e114613dd3e08c54362ac433fe9f06fa2c0
-
SHA256
e3450f2a89811cfa81450222ecf1b632ffb339fa4f8b80a147a24969ba45cc65
-
SHA512
c53f69f7e21118bd7beb2688a87e350133985f2cbb24fbd3a8cc5bcd82575c87cc3278a48d8a0e6e80170ba75580e62cd154b84d830152ee7ba88144fb0b1c64
-
SSDEEP
3072:JIzGXZZgy65eC736iv2l56458VtMtiG0aMwFo9u:JOGXbgyiGi+l5l5VPswFo9u
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Indicator Removal
1Clear Windows Event Logs
1Modify Registry
2Pre-OS Boot
1Bootkit
1