Overview

overview

10

Static

static

1

yzlepczajx.js

windows7-x64

10

yzlepczajx.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_9f60de00184b1f61708abe1b0e58289615fb23f89fa8a52e515e1102a3ae709a

  • Size

    610KB

  • Sample

    241223-p5y98aznav

  • MD5

    3a975924d9dd4045c079f76f604cd332

  • SHA1

    ec5b7d61eb9dd14a62b5407bbceb93016aa28e98

  • SHA256

    9f60de00184b1f61708abe1b0e58289615fb23f89fa8a52e515e1102a3ae709a

  • SHA512

    be75bcbeec4e319171a43caaa02fadbfc2917274250bf1eef2fb4b59e5646c8fb8d9515c54f6cd44ad68ec2ed745403a1dcfb91f78bd37c26205ffafea0be431

  • SSDEEP

    12288:auEGbFKu33ljGufC2Qt44VrtRiXi6ZbX5OQ2wOyTZ5gh:sW0u3hfCfva/p532Qbg

Score
10/10
adwindevasionexecutionpersistencetrojan

Malware Config

Targets

    • Target

      yzlepczajx.js

    • Size

      920KB

    • MD5

      5c7f48778dda08d83d87b51a67ad54b6

    • SHA1

      a3393ea14aa9fde19778941b4ce1aa82d739396b

    • SHA256

      5324fbe32d617ae3b84406481bf31ab8b25bd0fc263a50ffb147a9eaae2fbdf2

    • SHA512

      8c547d098ced09baf54c40d05a3a849eabcc1d2cf62bdbf6774046cc53ba09996e922c150754b9bbb784f6daefb3376192985ad580b74f54754bd1b065cb837d

    • SSDEEP

      12288:ns6jLWrbVoZ/znW4fNRyac0RuUjZltEk+jPmSh163Lq9fAIdKQJHcI:nsdrbVoZ/zWmp/oW+t6LcfAOB

    Score
    10/10
    adwindexecutiontrojanevasionpersistence

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

      trojanadwind

    • Adwind family

      adwind

    • UAC bypass

      evasiontrojan

    • Disables use of System Restore points

      evasion

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks