General

  • Target

    JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93

  • Size

    720KB

  • Sample

    250411-jrbzwattat

  • MD5

    ad7f50f41c1d9410542b2565277c0c93

  • SHA1

    ec5e1fcb09fe8530b250ae286d757355ad4215a7

  • SHA256

    2304b24975f5e9e4a21cd2b8af9e026f5a815eb10034e155d666ae34907b0543

  • SHA512

    795049925a8c6ab53f384c3c888e41f97b6044ad6a132e52b02e60281bb354da0fa9f04d8f74219d7bd8223645f93c4d9b0af9cdf9c8699bb4bbc5597036d9b6

  • SSDEEP

    12288:VXgvmzFHi0mo5aH0qMzd5807FULPJQPDHvd:VXgvOHi0mGaH0qSdPFUt4V

Malware Config

Targets

    • Target

      JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93

    • Size

      720KB

    • MD5

      ad7f50f41c1d9410542b2565277c0c93

    • SHA1

      ec5e1fcb09fe8530b250ae286d757355ad4215a7

    • SHA256

      2304b24975f5e9e4a21cd2b8af9e026f5a815eb10034e155d666ae34907b0543

    • SHA512

      795049925a8c6ab53f384c3c888e41f97b6044ad6a132e52b02e60281bb354da0fa9f04d8f74219d7bd8223645f93c4d9b0af9cdf9c8699bb4bbc5597036d9b6

    • SSDEEP

      12288:VXgvmzFHi0mo5aH0qMzd5807FULPJQPDHvd:VXgvOHi0mGaH0qSdPFUt4V

    • Modifies WinLogon for persistence

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks