General

  • Target

    1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118

  • Size

    320KB

  • Sample

    240507-dstnesaf65

  • MD5

    1f4493c6c315bbc9277f1ad5e1e1953d

  • SHA1

    e93c1fb21763138995b2a1d79c89924b0c829e23

  • SHA256

    3fc6e9efa5bb4b7feb57f13f51bd5cd016e502e8947cc2f27abeb7ab2df31ce8

  • SHA512

    1e19e47e826156b3f620c1fe879a1e9b51b9a6cab2e91862318094c8e7f498a8eaf9011f1490f7eda437073fe2d78ab70799dd03437e780c3247e95ff17e40bd

  • SSDEEP

    6144:onhimZQWM3Ac7zfW2geZToVBkjM+jcBCvvU83FLOaTfVTjwo6:ohimZEQcX+2g0ToVBIcIvvU8dPG

Malware Config

Targets

    • Target

      1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118

    • Size

      320KB

    • MD5

      1f4493c6c315bbc9277f1ad5e1e1953d

    • SHA1

      e93c1fb21763138995b2a1d79c89924b0c829e23

    • SHA256

      3fc6e9efa5bb4b7feb57f13f51bd5cd016e502e8947cc2f27abeb7ab2df31ce8

    • SHA512

      1e19e47e826156b3f620c1fe879a1e9b51b9a6cab2e91862318094c8e7f498a8eaf9011f1490f7eda437073fe2d78ab70799dd03437e780c3247e95ff17e40bd

    • SSDEEP

      6144:onhimZQWM3Ac7zfW2geZToVBkjM+jcBCvvU83FLOaTfVTjwo6:ohimZEQcX+2g0ToVBIcIvvU8dPG

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VirtualBox drivers on disk

    • ModiLoader Second Stage

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks