General
-
Target
054ff1c6796d7013695f09608bbc51c7_JaffaCakes118
-
Size
261KB
-
Sample
240428-qy11xahd31
-
MD5
054ff1c6796d7013695f09608bbc51c7
-
SHA1
a6e1dac9da1f8f250fdcb5d41e45c7901c85f8ec
-
SHA256
95b678b905f6f05d0c72819161eabc20e494d0b9383b58f0bf872434e6401680
-
SHA512
ffa8b2ead8edbe23c7ab2ec0acbf10a52747b5ff55131bfda524f094f3f9f6659027bafd5d442852faad3dff93e8c85e2d1c5f264ff2d4972fe0f42616e2cdfa
-
SSDEEP
6144:lF/ezrXgL+Y7p3fxYduoJQH5nmn14mUdMpWlAc9DFpGa3RbI:P/grQ579fxYRJQZnY4vJLvMQM
Static task
static1
Behavioral task
behavioral1
Sample
054ff1c6796d7013695f09608bbc51c7_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
054ff1c6796d7013695f09608bbc51c7_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Malware Config
Targets
-
-
Target
054ff1c6796d7013695f09608bbc51c7_JaffaCakes118
-
Size
261KB
-
MD5
054ff1c6796d7013695f09608bbc51c7
-
SHA1
a6e1dac9da1f8f250fdcb5d41e45c7901c85f8ec
-
SHA256
95b678b905f6f05d0c72819161eabc20e494d0b9383b58f0bf872434e6401680
-
SHA512
ffa8b2ead8edbe23c7ab2ec0acbf10a52747b5ff55131bfda524f094f3f9f6659027bafd5d442852faad3dff93e8c85e2d1c5f264ff2d4972fe0f42616e2cdfa
-
SSDEEP
6144:lF/ezrXgL+Y7p3fxYduoJQH5nmn14mUdMpWlAc9DFpGa3RbI:P/grQ579fxYRJQZnY4vJLvMQM
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VirtualBox drivers on disk
-
ModiLoader Second Stage
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1