General

  • Target

    JaffaCakes118_8b82cb03647b6123ec1b5d38dbc1c6b5714bd1ccc543840cb9080bca470d2a7d

  • Size

    33.4MB

  • Sample

    241224-vll4fasmav

  • MD5

    3de490174162e430fa4da15bf43d7cf6

  • SHA1

    b77cb05af5fc467ad266a9393bbaa69482b6a5dd

  • SHA256

    8b82cb03647b6123ec1b5d38dbc1c6b5714bd1ccc543840cb9080bca470d2a7d

  • SHA512

    d0f14edc3a595e590635c98f6d477535aed7e8354290de7c5727fd73b6af1dcae9fd0b7b7d93a862494115b9a7e06d049979376149436516f3c8ebf625c87e3c

  • SSDEEP

    786432:D1eVa1a+adKYUNlbetLl4WFqTr7xPpkFp+MMRSIRBFw83C4A:DcVJGzbetLl4UqT/xPGFp+MMRvC4A

Malware Config

Targets

    • Target

      CLFsecurity.exe

    • Size

      35.1MB

    • MD5

      edde1633579f5e1f0543140cfbfa50fb

    • SHA1

      4233ff7941da62b86fc2c2d92be0572c9ab534c8

    • SHA256

      23b14288d49610a8eef61977b7fc49a963f1261fe29b1668b4443a04eaf493cb

    • SHA512

      e03a1575824ea04d30e3c3290d87e73be689014970e94ddc56f157766bc048faa5129e4589be0b8a404ce75c0fdf4301973c21cb5593a9c6006f26709507bf5c

    • SSDEEP

      786432:SQRwdPcRZMRDY8X9XRTuCpZD7U4qRVOtIqNi0f9jphU7oDM8ETp9an3aZO:1RwdPcRZuDYg1pZfUNRctpNi0f9dhU7a

    • Babadeda

      Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    • Babadeda Crypter

    • Babadeda family

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Netsupport family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks