General

  • Target

    f17a54aefe9af6d6742d57c3bde04d04_JaffaCakes118

  • Size

    88KB

  • Sample

    241215-azl1daypgw

  • MD5

    f17a54aefe9af6d6742d57c3bde04d04

  • SHA1

    36d0543095983f41938cf41878e16e5409048ada

  • SHA256

    3f649aed980d17ec837e948e9c33ce63a5349dbd2b92e1c1f8bc751de8f2e633

  • SHA512

    ec32e33793b2ccdedfc244a84edc2d97fe2b67239b028c808c8b7c41f24a7bfc6b5c1a731a802205279d2c98e40f2f024a8a627c1a362c4d0b0530c3d19781da

  • SSDEEP

    1536:t5piVnDXkTbhCtaB6GVA/bVQPxfgiqfoOonoKg+yOH5y/yEm:6D0ctAVA/bmxIMnoKjyR/Nm

Malware Config

Targets

    • Target

      f17a54aefe9af6d6742d57c3bde04d04_JaffaCakes118

    • Size

      88KB

    • MD5

      f17a54aefe9af6d6742d57c3bde04d04

    • SHA1

      36d0543095983f41938cf41878e16e5409048ada

    • SHA256

      3f649aed980d17ec837e948e9c33ce63a5349dbd2b92e1c1f8bc751de8f2e633

    • SHA512

      ec32e33793b2ccdedfc244a84edc2d97fe2b67239b028c808c8b7c41f24a7bfc6b5c1a731a802205279d2c98e40f2f024a8a627c1a362c4d0b0530c3d19781da

    • SSDEEP

      1536:t5piVnDXkTbhCtaB6GVA/bVQPxfgiqfoOonoKg+yOH5y/yEm:6D0ctAVA/bmxIMnoKjyR/Nm

    • Andromeda family

    • Andromeda, Gamarue

      Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    • Detects Andromeda payload.

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks