General
-
Target
JaffaCakes118_eb4e717e4120b2df5f6c8cd6641264fb
-
Size
281KB
-
Sample
250211-3y83qsvnes
-
MD5
eb4e717e4120b2df5f6c8cd6641264fb
-
SHA1
2dd0541b46f229e37164991834252e07cf58f66f
-
SHA256
94e6bce2a2bf54658129161c0b046c658242eba69682f0347dde4926195739dc
-
SHA512
13c2b6da084122bce6bdeeb273cc58fa24e518c1fec67368ce908b99899b2320559557c5f9032e571328ae80b58f2816c7942e53dca15ea589d11438f305a502
-
SSDEEP
6144:9pcnH1hymlUEAsvK7ke5L3iFPwsj9CnL9R6jbKVCA7W5f1uHVOJ:9pYDycUEAWK7SCsj9kLnCAS9IVW
Malware Config
Extracted
simda
-
dga
cihunemyror.eu
digivehusyd.eu
vofozymufok.eu
fodakyhijyv.eu
nopegymozow.eu
gatedyhavyd.eu
marytymenok.eu
jewuqyjywyv.eu
qeqinuqypoq.eu
kemocujufys.eu
rynazuqihoj.eu
lyvejujolec.eu
tucyguqaciq.eu
xuxusujenes.eu
puzutuqeqij.eu
ciliqikytec.eu
dikoniwudim.eu
vojacikigep.eu
fogeliwokih.eu
nofyjikoxex.eu
gadufiwabim.eu
masisokemep.eu
jepororyrih.eu
qetoqolusex.eu
keraborigin.eu
ryqecolijet.eu
lymylorozig.eu
tunujolavez.eu
xubifaremin.eu
puvopalywet.eu
Targets
-
-
Target
JaffaCakes118_eb4e717e4120b2df5f6c8cd6641264fb
-
Size
281KB
-
MD5
eb4e717e4120b2df5f6c8cd6641264fb
-
SHA1
2dd0541b46f229e37164991834252e07cf58f66f
-
SHA256
94e6bce2a2bf54658129161c0b046c658242eba69682f0347dde4926195739dc
-
SHA512
13c2b6da084122bce6bdeeb273cc58fa24e518c1fec67368ce908b99899b2320559557c5f9032e571328ae80b58f2816c7942e53dca15ea589d11438f305a502
-
SSDEEP
6144:9pcnH1hymlUEAsvK7ke5L3iFPwsj9CnL9R6jbKVCA7W5f1uHVOJ:9pYDycUEAWK7SCsj9kLnCAS9IVW
Score10/10-
Modifies WinLogon for persistence
-
Simda family
-
simda
Simda is an infostealer written in C++.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Modifies WinLogon
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Component Object Model Hijacking
1