General

  • Target

    820cf1fbe97e0fe6c8d26b0d6169ce14_JaffaCakes118

  • Size

    850KB

  • Sample

    241031-hbhxtatnck

  • MD5

    820cf1fbe97e0fe6c8d26b0d6169ce14

  • SHA1

    03d2b1d91d4954bf38f50ed650c2b5de32d935ea

  • SHA256

    b98f391aa8ba1719d331c341fc237b13495ea7ead507c46cbe1ba66afba55089

  • SHA512

    f945c079ed93e96d16aa2cf503165b30a0c6362f8844a1f99f558d9af6fb9f1fd4f6b34271492ef83a704c1ad803050dcfebbdb9315f38d69b46d08db8bb7785

  • SSDEEP

    3072:XdDc+tTAqAZGZGM2tVJV1hUnGpAFQdZK0Jx9ahSD5li:qVf1hgGpAGdZKgGc

Malware Config

Targets

    • Target

      820cf1fbe97e0fe6c8d26b0d6169ce14_JaffaCakes118

    • Size

      850KB

    • MD5

      820cf1fbe97e0fe6c8d26b0d6169ce14

    • SHA1

      03d2b1d91d4954bf38f50ed650c2b5de32d935ea

    • SHA256

      b98f391aa8ba1719d331c341fc237b13495ea7ead507c46cbe1ba66afba55089

    • SHA512

      f945c079ed93e96d16aa2cf503165b30a0c6362f8844a1f99f558d9af6fb9f1fd4f6b34271492ef83a704c1ad803050dcfebbdb9315f38d69b46d08db8bb7785

    • SSDEEP

      3072:XdDc+tTAqAZGZGM2tVJV1hUnGpAFQdZK0Jx9ahSD5li:qVf1hgGpAGdZKgGc

    • Modifies firewall policy service

    • Modifies security service

    • Modifies visibility of file extensions in Explorer

    • Modifies visiblity of hidden/system files in Explorer

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables taskbar notifications via registry modification

    • Drops file in Drivers directory

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Indicator Removal: Clear Persistence

      remove IFEO.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks