General

  • Target

    81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118

  • Size

    2.0MB

  • Sample

    241031-frhwmsyphz

  • MD5

    81bc906307d99bcb8b3aeaceb1d51b5c

  • SHA1

    9dfd66539c689b2ecaf46fdcdeebf00128e59f87

  • SHA256

    191f71d0ce6906e90271c1a713d6420759744e21455818a244f4331f38e16b08

  • SHA512

    2d1912e20c73da05e6e5ff9373620ce829647fe23c92e54b20cac74453967831b89c9b00451938fbc3b9497f16b716e756f63540929b342de4d8cec05e5eb3f5

  • SSDEEP

    49152:r5cOFNA7o0BM4wpDnqrYTHJ0I24oS6HGpwlSGnf:r5vNOoLpVuI21S6HGuR

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://galaint.onlinesecstats.info/?0=155&1=1&2=1&3=54&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=tmikvgppmh&14=1

Targets

    • Target

      81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118

    • Size

      2.0MB

    • MD5

      81bc906307d99bcb8b3aeaceb1d51b5c

    • SHA1

      9dfd66539c689b2ecaf46fdcdeebf00128e59f87

    • SHA256

      191f71d0ce6906e90271c1a713d6420759744e21455818a244f4331f38e16b08

    • SHA512

      2d1912e20c73da05e6e5ff9373620ce829647fe23c92e54b20cac74453967831b89c9b00451938fbc3b9497f16b716e756f63540929b342de4d8cec05e5eb3f5

    • SSDEEP

      49152:r5cOFNA7o0BM4wpDnqrYTHJ0I24oS6HGpwlSGnf:r5vNOoLpVuI21S6HGuR

    • Disables service(s)

    • UAC bypass

    • Disables taskbar notifications via registry modification

    • Event Triggered Execution: Image File Execution Options Injection

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks