General

  • Target

    287546291003d27911be77003c9f4b15_JaffaCakes118

  • Size

    331KB

  • Sample

    240509-fy2x4afd99

  • MD5

    287546291003d27911be77003c9f4b15

  • SHA1

    324a45d70ead25255d8a35a56583970497df377d

  • SHA256

    07f6d9e83f537600594c31b3602732e673876773d011ad3827d3b4bfd90263b3

  • SHA512

    008c0c4814ef08ebbf18d801272fad6fac177f493a0f1b96ce6492d84f651d23fe6c528f526dfd87c8ba7f37686f945c33a4c33b5dd07b866df595b93a5af3d5

  • SSDEEP

    6144:rTlX2afUVMJnGGYONpiG/rpdOpMvh6EEpv6UIFcqiWEiHUpoS1:nlX2afBFOyXbaqigUB

Malware Config

Targets

    • Target

      287546291003d27911be77003c9f4b15_JaffaCakes118

    • Size

      331KB

    • MD5

      287546291003d27911be77003c9f4b15

    • SHA1

      324a45d70ead25255d8a35a56583970497df377d

    • SHA256

      07f6d9e83f537600594c31b3602732e673876773d011ad3827d3b4bfd90263b3

    • SHA512

      008c0c4814ef08ebbf18d801272fad6fac177f493a0f1b96ce6492d84f651d23fe6c528f526dfd87c8ba7f37686f945c33a4c33b5dd07b866df595b93a5af3d5

    • SSDEEP

      6144:rTlX2afUVMJnGGYONpiG/rpdOpMvh6EEpv6UIFcqiWEiHUpoS1:nlX2afBFOyXbaqigUB

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VirtualBox drivers on disk

    • ModiLoader Second Stage

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks