General

  • Target

    JaffaCakes118_c7ccedb70155d9567bc63477af344089

  • Size

    716KB

  • Sample

    250421-fat8castay

  • MD5

    c7ccedb70155d9567bc63477af344089

  • SHA1

    3bd2817183d21eda6ef4c5974c763395a981f500

  • SHA256

    9b3e40cd1dcd17e8ae2b31e6aa5b0d6f10ed4bc800ad7c72ded563069a68da6c

  • SHA512

    e65e432692b9dff71d9640501320ae1e626a21a0c947450fa8d792cfd7168e32dd73e56fb82e6e72ad7ae1d93a1a0fc68983f67547d3919bde013cd495f279d0

  • SSDEEP

    12288:2XgvmzFHi0mo5aH0qMzd5807FDPJQPDHvd:2XgvOHi0mGaH0qSdPFF4V

Malware Config

Targets

    • Target

      JaffaCakes118_c7ccedb70155d9567bc63477af344089

    • Size

      716KB

    • MD5

      c7ccedb70155d9567bc63477af344089

    • SHA1

      3bd2817183d21eda6ef4c5974c763395a981f500

    • SHA256

      9b3e40cd1dcd17e8ae2b31e6aa5b0d6f10ed4bc800ad7c72ded563069a68da6c

    • SHA512

      e65e432692b9dff71d9640501320ae1e626a21a0c947450fa8d792cfd7168e32dd73e56fb82e6e72ad7ae1d93a1a0fc68983f67547d3919bde013cd495f279d0

    • SSDEEP

      12288:2XgvmzFHi0mo5aH0qMzd5807FDPJQPDHvd:2XgvOHi0mGaH0qSdPFF4V

    • Modifies WinLogon for persistence

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks