General
-
Target
windows-malware-master.zip
-
Size
138.1MB
-
Sample
240629-f44nwasalf
-
MD5
efc7175879aa8c0afd105a92ac6d3588
-
SHA1
420aceb7ab487580f21a22af74283bb3dafcb5c1
-
SHA256
5b1bcbd8ac2497503833493c6566df7417202975968edd0825ca77aefc9b26fb
-
SHA512
77138a1cf3d33d35443ca4e44bd13ee39d276e91066a424ba3f751cce6a32f2a2441ffeb6020de722de0c4aeda4a9ae20d32726c5a5200b27a50daa286f22399
-
SSDEEP
3145728:R8G0gRhWV8Rf/5uS3P5OWgtS1YlR3KzZdfaGC19plC2gAcwDz:R8AhWyRHl3PsWbKlB4fiGC1D7cyz
Malware Config
Targets
-
-
Target
windows-malware-master/000/000.exe
-
Size
6.7MB
-
MD5
d5671758956b39e048680b6a8275e96a
-
SHA1
33c341130bf9c93311001a6284692c86fec200ef
-
SHA256
4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
-
SHA512
972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7
-
SSDEEP
3072:V3LA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuzzo9Y:lLJlC6j0CX4XmvWHVcd62uo9
Score8/10-
Disables Task Manager via registry modification
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
Sets desktop wallpaper using registry
-
-
-
Target
windows-malware-master/Bonzify/Bonzify.exe
-
Size
6.4MB
-
MD5
fba93d8d029e85e0cde3759b7903cee2
-
SHA1
525b1aa549188f4565c75ab69e51f927204ca384
-
SHA256
66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
-
SHA512
7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
-
SSDEEP
196608:adAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:OaWedh+Idx75QYub//73lc6u7bLMYxD
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Possible privilege escalation attempt
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
-
-
Target
windows-malware-master/BossDaMajor/BossDaMajor.exe
-
Size
1.9MB
-
MD5
38ff71c1dee2a9add67f1edb1a30ff8c
-
SHA1
10f0defd98d4e5096fbeb321b28d6559e44d66db
-
SHA256
730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
-
SHA512
8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9
-
SSDEEP
49152:veG3J7FtM9SbJakTiTBMGSARaspyyx979PSxgKFdGlYU:2GZxSoJrTiTBMGtRa8t7EFddU
Score10/10-
Modifies WinLogon for persistence
-
UAC bypass
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Modifies system executable filetype association
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
windows-malware-master/ILOVEYOU/LOVE-LETTER-FOR-YOU.TXT.vbs
-
Size
14KB
-
MD5
48ac397b96a30da6d67ffcf5b555e69c
-
SHA1
6b509435d7ab375d40231081417a340910da513c
-
SHA256
b6dc96d48ee73fda299a8f8dac2335ed4bf710f5166ce093aa8734256a205569
-
SHA512
4dd6ca7a18b7dceac16a8cec892f658a2389efe3b6a936ac9bf26f20a99a7a65d76dec1a412988e9a5be59276a7f7c0bca08583a474c8a9609799a4bab4ed5f2
-
SSDEEP
384:U8kvaf1TYIe6lrsRjcOe/qEVqyK6hNj68BYqhYRLyfwjNOVjVA:U8f18Ie2rsmj68uYji5
Score1/10 -
-
-
Target
windows-malware-master/MEMZ/geometry dash auto speedhack.exe
-
Size
14KB
-
MD5
19dbec50735b5f2a72d4199c4e184960
-
SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822
-
SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
-
SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
SSDEEP
192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
-
-
Target
windows-malware-master/MrsMajor 2.0/MrsMajor2.0.exe
-
Size
25.6MB
-
MD5
247a35851fdee53a1696715d67bd0905
-
SHA1
d2e86020e1d48e527e81e550f06c651328bd58a4
-
SHA256
5dd4ea169cabf9226f54bb53e63ea6a1b5880a0d1222242aee378efb6255b57d
-
SHA512
a173801aaef4fab608d99b52223b5b2400d69b91edcbf33c21fcb47bd832eef9d771dfd36da350a502a371ed1739c869a7c2b4dca456c93f2feed9ac9c647c7c
-
SSDEEP
786432:7VQ4fX8siQIZwastE9oGH5UcnaAVBmn163+L2:7ywXwdwRQo2O1L2
Score10/10-
Modifies WinLogon for persistence
-
UAC bypass
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies file permissions
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
windows-malware-master/WinXP Horror Edition/WinXP.Horror.Destructive (Created By WobbyChip).exe
-
Size
57.9MB
-
MD5
063ea883f8c67d3bb22e0a465136ca4c
-
SHA1
3a168a9153ee32b86d9a5411b0af13846c55ee1d
-
SHA256
3b64ce283febf3207dd20c99fc53de65b07044231eb544c4c41de374a2571c5c
-
SHA512
2dd6be23a5af8c458b94eeb5a4e83fc8cacb3fd2c2566b5682eee286c01726dca90db3d9b4e218eeded9b0c9bce8ba3c9ca9cc497e3a57aab580633a038e4b74
-
SSDEEP
1572864:aj6L5PLk/mBCSyKOYl39GFoFEujFMm+B997DaNHN1oS72fnD9hRzZ01tO0DpvrvI:i6cSzV9GCFEujFMm+B997DaNHN1oS72X
Score10/10-
Modifies WinLogon for persistence
-
UAC bypass
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks whether UAC is enabled
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
7Registry Run Keys / Startup Folder
2Winlogon Helper DLL
4Active Setup
1Event Triggered Execution
3Change Default File Association
2AppInit DLLs
1Pre-OS Boot
2Bootkit
2Privilege Escalation
Boot or Logon Autostart Execution
7Registry Run Keys / Startup Folder
2Winlogon Helper DLL
4Active Setup
1Event Triggered Execution
3Change Default File Association
2AppInit DLLs
1Abuse Elevation Control Mechanism
3Bypass User Account Control
3Access Token Manipulation
1Create Process with Token
1Defense Evasion
Modify Registry
18File and Directory Permissions Modification
2Abuse Elevation Control Mechanism
3Bypass User Account Control
3Impair Defenses
3Disable or Modify Tools
3Access Token Manipulation
1Create Process with Token
1Pre-OS Boot
2Bootkit
2