General
-
Target
JaffaCakes118_1c22f5ae7487a55824b42e98b7eb7e6a
-
Size
6.3MB
-
Sample
250704-nnfk4s11ft
-
MD5
1c22f5ae7487a55824b42e98b7eb7e6a
-
SHA1
aa477c52ba0b8f4ecc1d831ad86aa7b3153bb6ac
-
SHA256
aebd263f2c619f822024952554aace5a85b2db620e567d5c6065db62683e3c22
-
SHA512
36e6f9a1d095f90c91ec9576461b29f19f08097ca04fc3ec0a4ba0ec20fc2154d1a51739de12bbb683c75f32f5b5e2326fc4af8cd89a753efc59727d770704b8
-
SSDEEP
98304:op//ZDTtPb1XhJK30BFsyLZNQuWw3h7ujenOMgdeZAfBbjDmUpEUA/lL/lku21rm:oZZDTtzFKQFW+h7p7GB/JpEF+B1CXO8
Static task
static1
Behavioral task
behavioral1
Sample
43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f.exe
Resource
win11-20250619-en
Malware Config
Targets
-
-
Target
43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f
-
Size
6.4MB
-
MD5
f8955d98605d27a397492f0cedbb55f3
-
SHA1
058c7a9ace05fbd7d8105033c675bdfa90a9c379
-
SHA256
43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f
-
SHA512
5664b483d65aabad7b09547a90ed2de8758038d1e048e729e6025604bf795995e521aca4474a4a18d6d6c5d94a34e46f4f3bfc809c18f1ed747592f86b2149d3
-
SSDEEP
196608:KU6bOAsZT20DipRVsEd59R05ToiGdF13ms4HXh+73KS1v:/AzRxj0t/GdF13m7HXYVv
-
Detect Fabookie payload
-
Fabookie family
-
Ffdroider family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops Chrome extension
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1