General

  • Target

    8126840a68ac0b59131895236692c577_JaffaCakes118

  • Size

    1.4MB

  • Sample

    241031-cmvsvsxcna

  • MD5

    8126840a68ac0b59131895236692c577

  • SHA1

    9a610c195b9b153d8f31a0cc786f709372bc81d7

  • SHA256

    d38e4a084a04993bf205a802fb04c83ab1436319c95605595bb274231b19c435

  • SHA512

    74cacd4ddd9253f960fac294c36c13e9d7d94f10808622db2acb8cdefd5fe65ef6e603313a8996322f11c935bbebb3c5a58253e5dcb879f95a0c674845a2e4c8

  • SSDEEP

    3072:hxAMvBIEH5OIPPSwSHErh1Rj++Ekibboxd2Kzm:hxAWINKSqh1Rj+TnHqm

Malware Config

Targets

    • Target

      8126840a68ac0b59131895236692c577_JaffaCakes118

    • Size

      1.4MB

    • MD5

      8126840a68ac0b59131895236692c577

    • SHA1

      9a610c195b9b153d8f31a0cc786f709372bc81d7

    • SHA256

      d38e4a084a04993bf205a802fb04c83ab1436319c95605595bb274231b19c435

    • SHA512

      74cacd4ddd9253f960fac294c36c13e9d7d94f10808622db2acb8cdefd5fe65ef6e603313a8996322f11c935bbebb3c5a58253e5dcb879f95a0c674845a2e4c8

    • SSDEEP

      3072:hxAMvBIEH5OIPPSwSHErh1Rj++Ekibboxd2Kzm:hxAWINKSqh1Rj+TnHqm

    • Modifies firewall policy service

    • Modifies security service

    • Modifies visibility of file extensions in Explorer

    • Modifies visiblity of hidden/system files in Explorer

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables taskbar notifications via registry modification

    • Drops file in Drivers directory

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Indicator Removal: Clear Persistence

      remove IFEO.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks