Overview

overview

10

Static

static

10

db69dc47e1...18.exe

windows7-x64

9

db69dc47e1...18.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    db69dc47e177e79a390089b72d715295_JaffaCakes118

  • Size

    12KB

  • Sample

    241209-zbk6lsvqcl

  • MD5

    db69dc47e177e79a390089b72d715295

  • SHA1

    836655afa5624cf81b6e6d02dfa0c149e393cf2e

  • SHA256

    934dbbfe39728292a5f2d44d53087b7add0205e00d901cd02d3103df997e21a9

  • SHA512

    96c0d15fc42d91b92c2db0f65d7bfe0c23af9324b890a88a0d61349c9be85cfdcd23449c10387ecdaff3bfd3ec99e13eb96a79f45868a60b0c82e5671f1090a5

  • SSDEEP

    192:y/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjvu2q9C/YpXnAITZfPtRMTa/C+U:yebFNw4Pk1itKkpAjjI2YpdmTao

Score
10/10
xoristcredential_accessdiscoverypersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      db69dc47e177e79a390089b72d715295_JaffaCakes118

    • Size

      12KB

    • MD5

      db69dc47e177e79a390089b72d715295

    • SHA1

      836655afa5624cf81b6e6d02dfa0c149e393cf2e

    • SHA256

      934dbbfe39728292a5f2d44d53087b7add0205e00d901cd02d3103df997e21a9

    • SHA512

      96c0d15fc42d91b92c2db0f65d7bfe0c23af9324b890a88a0d61349c9be85cfdcd23449c10387ecdaff3bfd3ec99e13eb96a79f45868a60b0c82e5671f1090a5

    • SSDEEP

      192:y/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjvu2q9C/YpXnAITZfPtRMTa/C+U:yebFNw4Pk1itKkpAjjI2YpdmTao

    Score
    9/10
    credential_accessdiscoverypersistenceransomwarespywarestealer

    • Renames multiple (17512) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks