Overview

overview

9

Static

static

3

ba40883e00...18.exe

windows7-x64

9

ba40883e00...18.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ba40883e005f64abbb765f436a9f535c_JaffaCakes118

  • Size

    685KB

  • Sample

    241202-1apyvazjfq

  • MD5

    ba40883e005f64abbb765f436a9f535c

  • SHA1

    a1260d2f6ba066b0c402af1f525b26bb8a60e716

  • SHA256

    1ac5efef5495c03e0d32c791d6f145ac0d3373a7cd3ddf0003be9d8b19263ee9

  • SHA512

    1bb49b857dba2a2da4ab0ffa62a7ba44984674538aaab7d2d333b6a1750204e87c64abf7f5b21391a9a93a5c8add2b3f30c1a4a350fdd801bd90708edb2ab423

  • SSDEEP

    12288:rIVgjRD8IuBITB2hcgc/Co0GNk88ZJgaZMaSQsd9vOgG5f:rIajRgIuV61/iGV8YaZMaSbd9vOXf

Score
9/10
defense_evasiondiscoverylateral_movementpersistence

Malware Config

Targets

    • Target

      ba40883e005f64abbb765f436a9f535c_JaffaCakes118

    • Size

      685KB

    • MD5

      ba40883e005f64abbb765f436a9f535c

    • SHA1

      a1260d2f6ba066b0c402af1f525b26bb8a60e716

    • SHA256

      1ac5efef5495c03e0d32c791d6f145ac0d3373a7cd3ddf0003be9d8b19263ee9

    • SHA512

      1bb49b857dba2a2da4ab0ffa62a7ba44984674538aaab7d2d333b6a1750204e87c64abf7f5b21391a9a93a5c8add2b3f30c1a4a350fdd801bd90708edb2ab423

    • SSDEEP

      12288:rIVgjRD8IuBITB2hcgc/Co0GNk88ZJgaZMaSQsd9vOgG5f:rIajRgIuV61/iGV8YaZMaSbd9vOXf

    Score
    9/10
    defense_evasiondiscoverylateral_movementpersistence

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

      lateral_movement

    • Indicator Removal: Network Share Connection Removal

      Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

      defense_evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

1
T1564

Hidden Users

1
T1564.002

Indicator Removal

1
T1070

Network Share Connection Removal

1
T1070.005

Modify Registry

2
T1112

Credential Access

Discovery

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Remote Service Session Hijacking

1
T1563

RDP Hijacking

1
T1563.002

Collection

Command and Control

Exfiltration

Impact

Tasks