General

  • Target

    JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3

  • Size

    588.6MB

  • Sample

    241221-2dlk9s1rat

  • MD5

    406da853741b451e074e2d66567b126a

  • SHA1

    4a2e040b94eabb5e72b647db64586b4dc3e22a62

  • SHA256

    89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3

  • SHA512

    b47a095b79ee25cb8d794e6397b2279636f153f1919acdb8bbddd22768a99d10f1120e5587fd54301fd6b4323ac7e0eefe9e78d40fd0bf32eaf52b84de2c4eeb

  • SSDEEP

    98304:qDsqmfeoT5qEM+1+LofOz7VNBLghT2tNcTWTQbictE:X5GoVasEofyrRsEEWTQ3tE

Malware Config

Targets

    • Target

      JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3

    • Size

      588.6MB

    • MD5

      406da853741b451e074e2d66567b126a

    • SHA1

      4a2e040b94eabb5e72b647db64586b4dc3e22a62

    • SHA256

      89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3

    • SHA512

      b47a095b79ee25cb8d794e6397b2279636f153f1919acdb8bbddd22768a99d10f1120e5587fd54301fd6b4323ac7e0eefe9e78d40fd0bf32eaf52b84de2c4eeb

    • SSDEEP

      98304:qDsqmfeoT5qEM+1+LofOz7VNBLghT2tNcTWTQbictE:X5GoVasEofyrRsEEWTQ3tE

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Netsupport family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks