Overview

overview

10

Static

static

10

aea459bd4a...18.exe

windows7-x64

10

aea459bd4a...18.exe

windows10-2004-x64

10

$PLUGINSDIR/Ping.dll

windows7-x64

3

$PLUGINSDIR/Ping.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

Installer.exe

windows7-x64

8

Installer.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aea459bd4a96c0440c4435bfe39aaf40_JaffaCakes118

  • Size

    8.8MB

  • Sample

    241129-d5rplasqdy

  • MD5

    aea459bd4a96c0440c4435bfe39aaf40

  • SHA1

    4bddc9c5e363f94a71610c5720ab188593be11d1

  • SHA256

    202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410ad

  • SHA512

    7a6a144118bbea7835e035e6bd0d3a87363dd92f2186ba9911eb41d2e0a45530757a9c8348e8171027eb90814497da49b225b7a9a606d3bb2872d53086ae4f19

  • SSDEEP

    196608:T1oRCm5gjvpKv1gJzwgs/vvZNijq97g00QCOsNjz0uHFtdMaKDk:T1oRCIg1Kvozwl/73vYrWaKI

Score
10/10
pandastealeradwarediscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Targets

    • Target

      aea459bd4a96c0440c4435bfe39aaf40_JaffaCakes118

    • Size

      8.8MB

    • MD5

      aea459bd4a96c0440c4435bfe39aaf40

    • SHA1

      4bddc9c5e363f94a71610c5720ab188593be11d1

    • SHA256

      202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410ad

    • SHA512

      7a6a144118bbea7835e035e6bd0d3a87363dd92f2186ba9911eb41d2e0a45530757a9c8348e8171027eb90814497da49b225b7a9a606d3bb2872d53086ae4f19

    • SSDEEP

      196608:T1oRCm5gjvpKv1gJzwgs/vvZNijq97g00QCOsNjz0uHFtdMaKDk:T1oRCIg1Kvozwl/73vYrWaKI

    Score
    10/10
    pandastealeradwarediscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

    • Panda Stealer payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

      stealerpandastealer

    • Pandastealer family

      pandastealer

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/Ping.dll

    • Size

      64KB

    • MD5

      b0e9ba9dab60cb7a9fd886dcf440cac3

    • SHA1

      c416f6e9ba379feb9008c775d8456514444b66da

    • SHA256

      52d52e5a1e1cec3e2db08555a8b2651f636cf76c6a24e32aa446595365cf193f

    • SHA512

      90de38a7c57f59e8deb17c2473a215e2f052aee909a47ef37a88fefcfaeb5e6b54d462a39bcac4d0f1aa88d1806ba9e1237d0eeba98f7a0479bd6825e841f043

    • SSDEEP

      768:1ORwNJ7zPmd4L2i/lZ9OIm+LAAgBL+LjZpZxkuS28sHL12/hYLwkOYqn2PEDupfq:1ORGPmd41tKBKZkZ2xHLYpswTcZL0

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/Registry.dll

    • Size

      24KB

    • MD5

      2b7007ed0262ca02ef69d8990815cbeb

    • SHA1

      2eabe4f755213666dbbbde024a5235ddde02b47f

    • SHA256

      0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

    • SHA512

      aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

    • SSDEEP

      384:W2mvyNjH3rPnAZ4wu2QbnC7qB7PnrvScaeYA4CIDEge/QqL2AQ:/75w/OfrzB4CUxuQfA

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      Installer.exe

    • Size

      10.2MB

    • MD5

      564e47a3604ced3b7c18e43250226cd7

    • SHA1

      a3eef8fac3617d048fb9fce2201937297e3920f1

    • SHA256

      12ae00fe728b441221acd10483eeb1197884738e9bd6eb715ceadeea058c6c83

    • SHA512

      e925e2a5b60c7257ac6b57b3fc12675d2cc490070c456a8e794f54c6732cc34981c0d88a5acfb2214fd316194f24eae83e8151cfab101daa2f1b59f2d621cdbf

    • SSDEEP

      196608:NNCibAePytGr1MADU91h+RXs0yDiFqtpS8KNFVe1Pu5ZiqNJ:qZ6ytGriADU91h+WjDikm8KNkuziu

    Score
    8/10
    adwarediscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware
    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks