General

  • Target

    JaffaCakes118_fd4cc6b7967519e02736994b91c7c4f6

  • Size

    790KB

  • Sample

    250215-26k57syrfk

  • MD5

    fd4cc6b7967519e02736994b91c7c4f6

  • SHA1

    d947f816523a023f6d355df276c3f5c2ec966e97

  • SHA256

    27f128298e49336f7d7cc8d3abc93b1ccbae052c1380a5b8526fee20d410efdd

  • SHA512

    889a08a4e6df5d0f43a138a0d54157ac91c17f8a567db88275b7f12d3793316632b42888a50a2fca314a897a1d80a174543a915187f307e812069085f5d94e2d

  • SSDEEP

    24576:6vQkTf49aIM7i6mUIv3i87cvpawAvrXRZtG4:LkTgoAv3iz4

Malware Config

Targets

    • Target

      JaffaCakes118_fd4cc6b7967519e02736994b91c7c4f6

    • Size

      790KB

    • MD5

      fd4cc6b7967519e02736994b91c7c4f6

    • SHA1

      d947f816523a023f6d355df276c3f5c2ec966e97

    • SHA256

      27f128298e49336f7d7cc8d3abc93b1ccbae052c1380a5b8526fee20d410efdd

    • SHA512

      889a08a4e6df5d0f43a138a0d54157ac91c17f8a567db88275b7f12d3793316632b42888a50a2fca314a897a1d80a174543a915187f307e812069085f5d94e2d

    • SSDEEP

      24576:6vQkTf49aIM7i6mUIv3i87cvpawAvrXRZtG4:LkTgoAv3iz4

    • Blackshades

      Blackshades is a remote access trojan with various capabilities.

    • Blackshades family

    • Blackshades payload

    • Modifies firewall policy service

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks