General

  • Target

    JaffaCakes118_e723249fe277b529530ce21af301cbce

  • Size

    728KB

  • Sample

    250503-1s3mna1ths

  • MD5

    e723249fe277b529530ce21af301cbce

  • SHA1

    79ad1d6dbdede13736518704627976c5f35763df

  • SHA256

    28b0ceb234dc2a7653c30cbed3fa8fc8a621374a5acc95ca2336a095ce3ec430

  • SHA512

    bbb0aaf0742a666c9e8f7c917ecc7131c4acea08e749ac3757c1a81dc476909e576f03408646e1e4d237429c22d9b47d79ea5a3365eeb42acf9ee13122e80699

  • SSDEEP

    6144:n3ue8ySm8hQAAIfFrRXuEE+0l97mKwKRqHVm86JQPDHDdx/Qtqa:V/zkFF+EExZmKbRuVmPJQPDHvd

Malware Config

Targets

    • Target

      JaffaCakes118_e723249fe277b529530ce21af301cbce

    • Size

      728KB

    • MD5

      e723249fe277b529530ce21af301cbce

    • SHA1

      79ad1d6dbdede13736518704627976c5f35763df

    • SHA256

      28b0ceb234dc2a7653c30cbed3fa8fc8a621374a5acc95ca2336a095ce3ec430

    • SHA512

      bbb0aaf0742a666c9e8f7c917ecc7131c4acea08e749ac3757c1a81dc476909e576f03408646e1e4d237429c22d9b47d79ea5a3365eeb42acf9ee13122e80699

    • SSDEEP

      6144:n3ue8ySm8hQAAIfFrRXuEE+0l97mKwKRqHVm86JQPDHDdx/Qtqa:V/zkFF+EExZmKbRuVmPJQPDHvd

    • Modifies WinLogon for persistence

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks