General

  • Target

    1ca7a86d670b20eff76f23edb47d95a4_JaffaCakes118

  • Size

    338KB

  • Sample

    240506-qf57xafg79

  • MD5

    1ca7a86d670b20eff76f23edb47d95a4

  • SHA1

    0a1cafcc14ef969d4766843c8e0d6b9b12745f9c

  • SHA256

    dfa9b0480ef434ec912d51ae47f0d6abd8647fd072c24989e3f3b293bc3af2f2

  • SHA512

    32821a63c0e2d82332daff2a347f4970d6cbcc5afe530c19faf38e40691718e7e5d7c3d85615462f111268c35d7d3f415e8e7ab3e58e37558a73ccac60ece65c

  • SSDEEP

    6144:BkxgrJ+ZdARvSJ4AwFoJOWavgRJR1aRXbVf42pjZSkwMVAJ07UHJGZUdK0mQ28fw:TJ+ZdswkvvYRkRJZp8fOAW7UHOU00D9o

Malware Config

Targets

    • Target

      1ca7a86d670b20eff76f23edb47d95a4_JaffaCakes118

    • Size

      338KB

    • MD5

      1ca7a86d670b20eff76f23edb47d95a4

    • SHA1

      0a1cafcc14ef969d4766843c8e0d6b9b12745f9c

    • SHA256

      dfa9b0480ef434ec912d51ae47f0d6abd8647fd072c24989e3f3b293bc3af2f2

    • SHA512

      32821a63c0e2d82332daff2a347f4970d6cbcc5afe530c19faf38e40691718e7e5d7c3d85615462f111268c35d7d3f415e8e7ab3e58e37558a73ccac60ece65c

    • SSDEEP

      6144:BkxgrJ+ZdARvSJ4AwFoJOWavgRJR1aRXbVf42pjZSkwMVAJ07UHJGZUdK0mQ28fw:TJ+ZdswkvvYRkRJZp8fOAW7UHOU00D9o

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VirtualBox drivers on disk

    • ModiLoader Second Stage

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks