mimikatz | 70b34fd39a8536035490ba2000aba26d8a4bf416275a8091a962770477026f3d | Triage

Sharing

General

Target

JaffaCakes118_70b34fd39a8536035490ba2000aba26d8a4bf416275a8091a962770477026f3d
Size

5.0MB
Sample

241229-dddnnazrem
MD5

176d3f4f148b323076261ff3e25ffcdd
SHA1

de96a1eca638bf3aa0ef95b93e0c6617b28bec4e
SHA256

70b34fd39a8536035490ba2000aba26d8a4bf416275a8091a962770477026f3d
SHA512

6a47edf54a98f911e0b148c510166f7fa84a2833469e6c0edc8b2f79a767f08ca02c543da9da808ea9e41c26b3365656722e94ff6f40663b4088e5f63013e09c
SSDEEP

98304:gr69xeRSKie9LMxs5yTgt0gf/bFOAjwhDiJkLU:gTQKiSzUqv7F70iP

Score

10^/10

mimikatz bootkit persistence

Malware Config

Targets

- Target
  
  JaffaCakes118_70b34fd39a8536035490ba2000aba26d8a4bf416275a8091a962770477026f3d
- Size
  
  5.0MB
- MD5
  
  176d3f4f148b323076261ff3e25ffcdd
- SHA1
  
  de96a1eca638bf3aa0ef95b93e0c6617b28bec4e
- SHA256
  
  70b34fd39a8536035490ba2000aba26d8a4bf416275a8091a962770477026f3d
- SHA512
  
  6a47edf54a98f911e0b148c510166f7fa84a2833469e6c0edc8b2f79a767f08ca02c543da9da808ea9e41c26b3365656722e94ff6f40663b4088e5f63013e09c
- SSDEEP
  
  98304:gr69xeRSKie9LMxs5yTgt0gf/bFOAjwhDiJkLU:gTQKiSzUqv7F70iP
Score

1^/10
behavioral1 behavioral2
- Target
  
  filedata
- Size
  
  2.1MB
- MD5
  
  423f082b5b9913c8eb66528cbfe03e70
- SHA1
  
  128618d7ffcb7095fc9ffcbf4902b1b9a860414e
- SHA256
  
  2bc5752399db4ee085ddf335ddfbe9bda91d824fd5294462a450a61229161926
- SHA512
  
  5c1d4d49fbd5921ab226772fa5cdf9d507d5623c2f73499f3f16a484a330b80d5b512e4a30fe0bf82cc3c488fb22b3baff96fd0d776506f7680cc65f33487600
- SSDEEP
  
  49152:ZOg7YJ+1SJxeN4A4D6rH8VK9I8FXkDa9WT:X76JxeNpcc3jkD9
Score

10^/10

bootkit persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes itself
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  filedata
- Size
  
  1.5MB
- MD5
  
  70dcf3700e84aac402567e50097a2b90
- SHA1
  
  b6d440663956b371cc34bc37bd25f75bc5cdce82
- SHA256
  
  741296b5c572f4f02527619dfa6322406a11d6be697286260693a77b27bb8348
- SHA512
  
  52a7a51369da3a6bcb89a4ea3a6f11beeba34f3ed33300ad5cf81d54b867f20cecab366b9c360a2531a503c9c529874594e1f407ab77a72cedf7f076761f9afe
- SSDEEP
  
  24576:z3aVaNWAyolQb91wLtRsblMttPQoCMQUg/D7vFfuWSVkBXbs4:TaVa4BolQHwLs5QtPQ7MQUg/DxAi
Score

10^/10

mimikatz
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
behavioral5 behavioral6
- Target
  
  filedata
- Size
  
  2.7MB
- MD5
  
  d921d26cebc3bedad6419ef4298cd3e1
- SHA1
  
  973e0d3e6af8596f67e1a93b29122eea8af38108
- SHA256
  
  158e7d6361ca30df80d5edc5de38f5852961ad49dcc4e024f2ed8a00662c1792
- SHA512
  
  81cc4b95c081c1fefa63542d2583aa3f1820f66cd137fa4486d23601801712b3d1d4b1d9cdec7c8391ba0c5e2177778c987c2547faa95802cab1fccfe33741f3
- SSDEEP
  
  49152:nL2mxSw1wKb1ryOKQSg+o5Ru4rUjd/H8P3JiltNreKClt:Lnhb12Y5AD9cBuc
Score

10^/10

bootkit persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes itself
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

bootkitpersistence

behavioral4

bootkitpersistence

behavioral5

behavioral6

behavioral7

bootkitpersistence

behavioral8

bootkitpersistence