General
-
Target
JaffaCakes118_e27e04a442cbbea082ca41e970b9248a
-
Size
287KB
-
Sample
250211-esh3cswqfj
-
MD5
e27e04a442cbbea082ca41e970b9248a
-
SHA1
b022bc89ab4b5f94f51f550134f3b1d5c9ee3f1e
-
SHA256
da588d742d42f577a1ac457b29b5fe5193bd841c77aa379c56475590f49b4034
-
SHA512
bf7c0d93d3b2175a1cb8c5548a5bdf3db1775965858850b4f96ce203156da7a98985256d64a8ec49b1407cd6bb4604c855e618520e41ab7dda17684769f0fbce
-
SSDEEP
6144:+84R+/nBQojUb4LoaXqMKVjNY4GuKcxwMwulQMEAj+:fhBQ6n/SVqxcxwDunE3
Malware Config
Extracted
simda
-
dga
cihunemyror.eu
digivehusyd.eu
vofozymufok.eu
fodakyhijyv.eu
nopegymozow.eu
gatedyhavyd.eu
marytymenok.eu
jewuqyjywyv.eu
qeqinuqypoq.eu
kemocujufys.eu
rynazuqihoj.eu
lyvejujolec.eu
tucyguqaciq.eu
xuxusujenes.eu
puzutuqeqij.eu
ciliqikytec.eu
dikoniwudim.eu
vojacikigep.eu
fogeliwokih.eu
nofyjikoxex.eu
gadufiwabim.eu
masisokemep.eu
jepororyrih.eu
qetoqolusex.eu
keraborigin.eu
ryqecolijet.eu
lymylorozig.eu
tunujolavez.eu
xubifaremin.eu
puvopalywet.eu
Targets
-
-
Target
JaffaCakes118_e27e04a442cbbea082ca41e970b9248a
-
Size
287KB
-
MD5
e27e04a442cbbea082ca41e970b9248a
-
SHA1
b022bc89ab4b5f94f51f550134f3b1d5c9ee3f1e
-
SHA256
da588d742d42f577a1ac457b29b5fe5193bd841c77aa379c56475590f49b4034
-
SHA512
bf7c0d93d3b2175a1cb8c5548a5bdf3db1775965858850b4f96ce203156da7a98985256d64a8ec49b1407cd6bb4604c855e618520e41ab7dda17684769f0fbce
-
SSDEEP
6144:+84R+/nBQojUb4LoaXqMKVjNY4GuKcxwMwulQMEAj+:fhBQ6n/SVqxcxwDunE3
Score10/10-
Modifies WinLogon for persistence
-
Simda family
-
simda
Simda is an infostealer written in C++.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Modifies WinLogon
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Component Object Model Hijacking
1