General

  • Target

    JaffaCakes118_09161388561f267e78d09035355a05d1

  • Size

    484KB

  • Sample

    250525-sthpwaytav

  • MD5

    09161388561f267e78d09035355a05d1

  • SHA1

    4e75ae189f4629dfa65c9ce63bc4ef1e49775854

  • SHA256

    fb359aa2d368bbe0575d062a3e5d6151269d3e3bdae8d7bdaa719210e74ba072

  • SHA512

    33e18092ff7f0457c6577f7e17fc9552164a4f3e69dfa850fac16997c62a5b031aa3030b6fe796202582e0d323e4935347dab9d9c4468e9071ff808a8854b7dd

  • SSDEEP

    12288:AAUW+AmvfNGrjkArEN249AyE/rbaMct4bO2/VifRb2o:8NrFE//Tct4bOsib2o

Malware Config

Targets

    • Target

      JaffaCakes118_09161388561f267e78d09035355a05d1

    • Size

      484KB

    • MD5

      09161388561f267e78d09035355a05d1

    • SHA1

      4e75ae189f4629dfa65c9ce63bc4ef1e49775854

    • SHA256

      fb359aa2d368bbe0575d062a3e5d6151269d3e3bdae8d7bdaa719210e74ba072

    • SHA512

      33e18092ff7f0457c6577f7e17fc9552164a4f3e69dfa850fac16997c62a5b031aa3030b6fe796202582e0d323e4935347dab9d9c4468e9071ff808a8854b7dd

    • SSDEEP

      12288:AAUW+AmvfNGrjkArEN249AyE/rbaMct4bO2/VifRb2o:8NrFE//Tct4bOsib2o

    • Detects Mofksys worm

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Mofksys

      Mofksys is a worm written in VisualBasic.

    • Mofksys family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks