General
-
Target
JaffaCakes118_8b82cb03647b6123ec1b5d38dbc1c6b5714bd1ccc543840cb9080bca470d2a7d
-
Size
33.4MB
-
Sample
241224-vll4fasmav
-
MD5
3de490174162e430fa4da15bf43d7cf6
-
SHA1
b77cb05af5fc467ad266a9393bbaa69482b6a5dd
-
SHA256
8b82cb03647b6123ec1b5d38dbc1c6b5714bd1ccc543840cb9080bca470d2a7d
-
SHA512
d0f14edc3a595e590635c98f6d477535aed7e8354290de7c5727fd73b6af1dcae9fd0b7b7d93a862494115b9a7e06d049979376149436516f3c8ebf625c87e3c
-
SSDEEP
786432:D1eVa1a+adKYUNlbetLl4WFqTr7xPpkFp+MMRSIRBFw83C4A:DcVJGzbetLl4UqT/xPGFp+MMRvC4A
Static task
static1
Behavioral task
behavioral1
Sample
CLFsecurity.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
CLFsecurity.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
CLFsecurity.exe
-
Size
35.1MB
-
MD5
edde1633579f5e1f0543140cfbfa50fb
-
SHA1
4233ff7941da62b86fc2c2d92be0572c9ab534c8
-
SHA256
23b14288d49610a8eef61977b7fc49a963f1261fe29b1668b4443a04eaf493cb
-
SHA512
e03a1575824ea04d30e3c3290d87e73be689014970e94ddc56f157766bc048faa5129e4589be0b8a404ce75c0fdf4301973c21cb5593a9c6006f26709507bf5c
-
SSDEEP
786432:SQRwdPcRZMRDY8X9XRTuCpZD7U4qRVOtIqNi0f9jphU7oDM8ETp9an3aZO:1RwdPcRZuDYg1pZfUNRctpNi0f9dhU7a
-
Babadeda Crypter
-
Babadeda family
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1