facc6089e5bdd7363863e9d7426ad6de5fd94295affce870e065cd5a206ac76a | Triage

Sharing

General

Target

JaffaCakes118_01a93ef53355330ab4105c860f9f76a8
Size

4.8MB
Sample

250511-gba2jaxlv5
MD5

01a93ef53355330ab4105c860f9f76a8
SHA1

b1e1369278ff88958edfde04a31e729a12772118
SHA256

facc6089e5bdd7363863e9d7426ad6de5fd94295affce870e065cd5a206ac76a
SHA512

6d5e2a6c68cf838655eed700f05d639d1c0a316ce738ef82351675aec594fd2368fb2357797bee63b2162e8fed25d85c32d29c00c88c84e9bdcc2c15b3fbe4f7
SSDEEP

98304:YWrSa24w3rQ/pE/JFBCnpcYiKAEXXPnsNSkUe:Ty4wesJFqpc8dXfUSe

Score

9^/10

bootkit defense_evasion discovery persistence spyware stealer trojan

Malware Config

Targets

- Target
  
  JaffaCakes118_01a93ef53355330ab4105c860f9f76a8
- Size
  
  4.8MB
- MD5
  
  01a93ef53355330ab4105c860f9f76a8
- SHA1
  
  b1e1369278ff88958edfde04a31e729a12772118
- SHA256
  
  facc6089e5bdd7363863e9d7426ad6de5fd94295affce870e065cd5a206ac76a
- SHA512
  
  6d5e2a6c68cf838655eed700f05d639d1c0a316ce738ef82351675aec594fd2368fb2357797bee63b2162e8fed25d85c32d29c00c88c84e9bdcc2c15b3fbe4f7
- SSDEEP
  
  98304:YWrSa24w3rQ/pE/JFBCnpcYiKAEXXPnsNSkUe:Ty4wesJFqpc8dXfUSe
Score

9^/10

bootkit defense_evasion discovery persistence spyware stealer trojan
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops Chrome extension
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Subvert Trust Controls

Install Root Certificate

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitdefense_evasiondiscoverypersistencespywarestealertrojan

behavioral2

bootkitdefense_evasiondiscoverypersistencespywarestealertrojan

	
		OSZAR »