General

  • Target

    8462d74fdbedcb32579b0e67dd1e07ef_JaffaCakes118

  • Size

    773KB

  • Sample

    241101-mx13qs1pdp

  • MD5

    8462d74fdbedcb32579b0e67dd1e07ef

  • SHA1

    c2ff063cfc81473b13852250012f5e1455df4e61

  • SHA256

    01b908cb399e5088eb9d2d6aa8afdf49139370750a092c73185df7fb8aafc676

  • SHA512

    779614400f0e3ef4b1883026542c0866d2f894e431b06b4671eb10498c5e27cb9980b0eb56aec5536004dddff97f3ad5a87b10d0e04f9c3c87bf004fa1d1ff4a

  • SSDEEP

    12288:nKVor+xCwP+U4gcN2KA71uA46dNyKxElDrNk0mGDJPSyEy26g3oWGKegoBM/sPd2:mor+wwnZx71uxj8+NkG9PSywOKegx/V

Malware Config

Targets

    • Target

      8462d74fdbedcb32579b0e67dd1e07ef_JaffaCakes118

    • Size

      773KB

    • MD5

      8462d74fdbedcb32579b0e67dd1e07ef

    • SHA1

      c2ff063cfc81473b13852250012f5e1455df4e61

    • SHA256

      01b908cb399e5088eb9d2d6aa8afdf49139370750a092c73185df7fb8aafc676

    • SHA512

      779614400f0e3ef4b1883026542c0866d2f894e431b06b4671eb10498c5e27cb9980b0eb56aec5536004dddff97f3ad5a87b10d0e04f9c3c87bf004fa1d1ff4a

    • SSDEEP

      12288:nKVor+xCwP+U4gcN2KA71uA46dNyKxElDrNk0mGDJPSyEy26g3oWGKegoBM/sPd2:mor+wwnZx71uxj8+NkG9PSywOKegx/V

    • Modifies security service

    • Windows security bypass

    • Sets service image path in registry

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks registry for disk virtualization

      Detecting virtualization disks is order done to detect sandboxing environments.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks