Overview

overview

7

Static

static

3

Bypass-Too...l2.exe

windows7-x64

7

Bypass-Too...l2.exe

windows10-2004-x64

7

Bypass-Too...02.exe

windows7-x64

3

Bypass-Too...02.exe

windows10-2004-x64

3

Bypass-Tools/U952.exe

windows7-x64

7

Bypass-Tools/U952.exe

windows10-2004-x64

3

Bypass-Too...p2.exe

windows7-x64

3

Bypass-Too...p2.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1c19a0df5abe6a6b978e23c32c7b5a54_JaffaCakes118

  • Size

    8.3MB

  • Sample

    240701-xdtvesxcmq

  • MD5

    1c19a0df5abe6a6b978e23c32c7b5a54

  • SHA1

    9e6ca5b853f5f6771939bdf7b3d4493c0ae2a8f4

  • SHA256

    31307fd48576c3d1a61fbc70e6f7a63d39d903dea4b1a8d47089ad15ce3632a6

  • SHA512

    d92cfac8410f9d0d69989b9806c653758cc52ab83c6c0649533319c46e794cdcec024bcc73e6c72bc62ded3fe8b33434b8235c783d2e34aebe0541895a427b31

  • SSDEEP

    196608:i4XXRWPLSYA9QL0ev7+fuM+lA8oHpD8l3QNE/aNd:i40G1QL08+GvlA8o2l3p/Md

Score
7/10
bootkitpersistencespywarestealerupxvmprotect

Malware Config

Targets

    • Target

      Bypass-Tools/CGWebInstall2.exe

    • Size

      730KB

    • MD5

      bd11d302a86fa12e2032621554326bd0

    • SHA1

      be4a4d74b3b5316e46ef6d813031ca99c2c12b49

    • SHA256

      9894d651b7700ffd0992c0a310cfb867b84d32d644574f6571ea540d189a088d

    • SHA512

      59c0243cf2577c13ea3467e6e421a3f174c6f16623d125f69a608ad7d54977e57b471b31cbe7a79ba5c13f0296064bc172a9da41fe9379f977112fcc219cd400

    • SSDEEP

      12288:ONYr78QV1q6XEHjxa84YQ65FQLcCxB2FgUBVDZbU4xC78P:O64blYEQwuKBVDZgr78P

    Score
    7/10
    spywarestealerupx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      Bypass-Tools/GPass-4.1.02.exe

    • Size

      1.5MB

    • MD5

      7278e678da87ef182749106b2eae69f6

    • SHA1

      e3512c10ab9d63733e01d21b613c28d387481718

    • SHA256

      b237d98792921adb8638c37b0c688d96851f5e686edab3e83070985d47fc3b32

    • SHA512

      2464772d7778af02051d480007c9dc23bd065ac99ba9e2c732546376d9ac2a8c850f6faf226165bb0719a768bf27e114796f303a7c260cb97cfd8675dcf2c7cf

    • SSDEEP

      24576:7WktzDLe1+JviXVLCxbvKMcszr6vW2e+wL7V4bZgtWi6hmPftRUNYuEmB5:ltzG+UXVLCxbvKMcT0/LAZgtWint6NAo

    Score
    3/10
    behavioral3behavioral4

    • Target

      Bypass-Tools/U952.exe

    • Size

      481KB

    • MD5

      bb621c35f2bccc16874fdbeb4bb3fe91

    • SHA1

      d68138e1183320e08baa42c7e7b9f57ea868cb3d

    • SHA256

      cbc3ba3c40a9c28ac01792fbf06256176bdfbcd9bcc11963d3bc44528924a4a3

    • SHA512

      9c0a5a77a9a2d001cc94e94b710e14a88f60f34f940a21e30655703133cf187111243a75f8e315445b20ef23a1d2a8cffde70c6b7638b7fe488c6426093d2a99

    • SSDEEP

      12288:+YSoGZKu26s2vEZZH+MJyVg5Qy5sZ0kVd3dffu:R3GZKu2N2vEZZH+MUVqjyZFNfu

    Score
    7/10
    bootkitpersistencespywarestealervmprotect

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral5behavioral6

    • Target

      Bypass-Tools/fg679p2.exe

    • Size

      498KB

    • MD5

      6a606cbdb8860ff486656e6b8ce786d4

    • SHA1

      8513e29b1844c086d3fa3ae3d1d2169f5378a96a

    • SHA256

      cb0d4788d6382a032c50c503fef59e8625affc65ec7aef0cdd4bf89221d57f38

    • SHA512

      0badea06710b5413e8ad5f8dcc6dcb5785bed5428977de6d42a56a9729fd26b2b61f0f2ea5c049a0d0c9213560954fe669c35b9760a16466edc9ad0a83b597b2

    • SSDEEP

      12288:mqAYK1RQmJc+1yedZOSQOs7YNCS+nGxcz2+aQTJw/XfPJI:xzmRQmJPyei/Sx+PTuB

    Score
    3/10
    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks