General

  • Target

    JaffaCakes118_a94e7603886d42a722de61f5e7723c83

  • Size

    704KB

  • Sample

    250410-kvqswaxjz2

  • MD5

    a94e7603886d42a722de61f5e7723c83

  • SHA1

    669d36e2db6364d33574cf2deb6f89b8c2651de8

  • SHA256

    23221631689ac8b11113510a09f0687c28f17128a60eeef032f77537f4d85f1a

  • SHA512

    13331ba9740b95d8654319f7dc3e84b34a6ca96a0ec834454ace2dcf1138589153eff1352a61eadf6cb6d074bf143d3da4c688935b8fe8f8ab69fb13ace05cda

  • SSDEEP

    6144:g1Qv8rK3FQp4LGCr9a9n4FRm6RGMXKqCQFHgTe9eM486JQPDHDdx/Qtqa:9OkiCpat4FU6JXKqFZge9SPJQPDHvd

Malware Config

Targets

    • Target

      JaffaCakes118_a94e7603886d42a722de61f5e7723c83

    • Size

      704KB

    • MD5

      a94e7603886d42a722de61f5e7723c83

    • SHA1

      669d36e2db6364d33574cf2deb6f89b8c2651de8

    • SHA256

      23221631689ac8b11113510a09f0687c28f17128a60eeef032f77537f4d85f1a

    • SHA512

      13331ba9740b95d8654319f7dc3e84b34a6ca96a0ec834454ace2dcf1138589153eff1352a61eadf6cb6d074bf143d3da4c688935b8fe8f8ab69fb13ace05cda

    • SSDEEP

      6144:g1Qv8rK3FQp4LGCr9a9n4FRm6RGMXKqCQFHgTe9eM486JQPDHDdx/Qtqa:9OkiCpat4FU6JXKqFZge9SPJQPDHvd

    • Modifies WinLogon for persistence

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks