General

  • Target

    16e3029222864030e68ddeca0687882d_JaffaCakes118

  • Size

    549KB

  • Sample

    240505-kpwryafh95

  • MD5

    16e3029222864030e68ddeca0687882d

  • SHA1

    f42c97e4054763a8520aaa7318596d5955251294

  • SHA256

    e2862099ecb4e6a3e51f07e1d1811cf8dd4903c33f9bd3be86587fb52ba01766

  • SHA512

    be22223452269ef0d4228146c4df7d7d4f285294c2af927359c7f2e8164629c69ee15fef77bed2f143f6d521bc64d72b9f3abe9c83911c1c6c2807086cfd08ca

  • SSDEEP

    12288:/ZTDd4t/u28bEFGWtdOKbBEP68A2TiiIk1c9La:/H4Vu4xL2Pa2mZk1Wa

Malware Config

Targets

    • Target

      16e3029222864030e68ddeca0687882d_JaffaCakes118

    • Size

      549KB

    • MD5

      16e3029222864030e68ddeca0687882d

    • SHA1

      f42c97e4054763a8520aaa7318596d5955251294

    • SHA256

      e2862099ecb4e6a3e51f07e1d1811cf8dd4903c33f9bd3be86587fb52ba01766

    • SHA512

      be22223452269ef0d4228146c4df7d7d4f285294c2af927359c7f2e8164629c69ee15fef77bed2f143f6d521bc64d72b9f3abe9c83911c1c6c2807086cfd08ca

    • SSDEEP

      12288:/ZTDd4t/u28bEFGWtdOKbBEP68A2TiiIk1c9La:/H4Vu4xL2Pa2mZk1Wa

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Looks for VirtualBox Guest Additions in registry

    • ModiLoader Second Stage

    • Adds policy Run key to start application

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks