General

  • Target

    JaffaCakes118_0da162cf005b9d94e5f1b45cc7c3a660

  • Size

    284KB

  • Sample

    250604-rzjzfszkx2

  • MD5

    0da162cf005b9d94e5f1b45cc7c3a660

  • SHA1

    930fe5bdb6fa6db6306d2393061987ccc29c4bb5

  • SHA256

    5657a05b712dc8159c71f984037b7c791260fed32e970fc4fe7f4c62b564c0fa

  • SHA512

    d85868293b6d03deaf9f166e660e510088e2d0c5591d5df210b463a1ee3cc71ffc1d1daede6e940804259cfc2b0f2cc901db3149b0bcabceaebaf44f45441897

  • SSDEEP

    3072:mSQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lC:mPA6wxmuJspr2l

Malware Config

Targets

    • Target

      JaffaCakes118_0da162cf005b9d94e5f1b45cc7c3a660

    • Size

      284KB

    • MD5

      0da162cf005b9d94e5f1b45cc7c3a660

    • SHA1

      930fe5bdb6fa6db6306d2393061987ccc29c4bb5

    • SHA256

      5657a05b712dc8159c71f984037b7c791260fed32e970fc4fe7f4c62b564c0fa

    • SHA512

      d85868293b6d03deaf9f166e660e510088e2d0c5591d5df210b463a1ee3cc71ffc1d1daede6e940804259cfc2b0f2cc901db3149b0bcabceaebaf44f45441897

    • SSDEEP

      3072:mSQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lC:mPA6wxmuJspr2l

    • Andromeda family

    • Andromeda, Gamarue

      Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    • Detects Andromeda payload.

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks