General

  • Target

    JaffaCakes118_0d59b0751893881198ff41def10ab090

  • Size

    154KB

  • Sample

    250604-kalnesgn7z

  • MD5

    0d59b0751893881198ff41def10ab090

  • SHA1

    e8ed8492fdc890b136a7044e6c1b0628736fbb50

  • SHA256

    cecc437b13882744cfc1a31945ee3c1875c4978357e70faae3ab943512eea1a1

  • SHA512

    1b57b3b942777cc1b78c21d09d142c4ac7c4e0a43fb8b17cb8a4445abf6048aff9b71cf54413ccc814d7f1c99e6444675151ea83883d607d2f0f808167a04553

  • SSDEEP

    3072:pz7gJv8sqT6MM6MMMMMMMMM2kD+ipe9yB8vbk9T7QM65aqHVHN148jd3Aa0k4Pov:pz7aYNyBYA1Y148jd3Aa1X2dc53n

Malware Config

Targets

    • Target

      JaffaCakes118_0d59b0751893881198ff41def10ab090

    • Size

      154KB

    • MD5

      0d59b0751893881198ff41def10ab090

    • SHA1

      e8ed8492fdc890b136a7044e6c1b0628736fbb50

    • SHA256

      cecc437b13882744cfc1a31945ee3c1875c4978357e70faae3ab943512eea1a1

    • SHA512

      1b57b3b942777cc1b78c21d09d142c4ac7c4e0a43fb8b17cb8a4445abf6048aff9b71cf54413ccc814d7f1c99e6444675151ea83883d607d2f0f808167a04553

    • SSDEEP

      3072:pz7gJv8sqT6MM6MMMMMMMMM2kD+ipe9yB8vbk9T7QM65aqHVHN148jd3Aa0k4Pov:pz7aYNyBYA1Y148jd3Aa1X2dc53n

    • Andromeda family

    • Andromeda, Gamarue

      Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    • Detects Andromeda payload.

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks