General

  • Target

    JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc

  • Size

    712KB

  • Sample

    250419-b5drmazygz

  • MD5

    c0b20d90d346511b654c08a7a94a9dbc

  • SHA1

    556bbde3f4ee371edacccf0a064f5e7c52404d91

  • SHA256

    1218003efc6c2b220d924d207b0d83fd5d20f3a13102f4495c0ad1e86f5e5bbd

  • SHA512

    2e540f8e990699373507d7667637464fa1e21c3cbde63d42a8531e64983104371b521e208765dc24a50ea4d7d423ed4b334c2a5feece235ef8c123a0bd46e63f

  • SSDEEP

    6144:u1Qv8rK3FQp4LGCr9a9n4FRm6RGMXKqCQFHgTD86JQPDHDdx/Qtqa:7OkiCpat4FU6JXKqFZgDPJQPDHvd

Malware Config

Targets

    • Target

      JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc

    • Size

      712KB

    • MD5

      c0b20d90d346511b654c08a7a94a9dbc

    • SHA1

      556bbde3f4ee371edacccf0a064f5e7c52404d91

    • SHA256

      1218003efc6c2b220d924d207b0d83fd5d20f3a13102f4495c0ad1e86f5e5bbd

    • SHA512

      2e540f8e990699373507d7667637464fa1e21c3cbde63d42a8531e64983104371b521e208765dc24a50ea4d7d423ed4b334c2a5feece235ef8c123a0bd46e63f

    • SSDEEP

      6144:u1Qv8rK3FQp4LGCr9a9n4FRm6RGMXKqCQFHgTD86JQPDHDdx/Qtqa:7OkiCpat4FU6JXKqFZgDPJQPDHvd

    • Modifies WinLogon for persistence

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks