General

  • Target

    5eea4946116a52dac4d073b9ff3b91c5_JaffaCakes118

  • Size

    315KB

  • Sample

    240520-nzne4aaf3t

  • MD5

    5eea4946116a52dac4d073b9ff3b91c5

  • SHA1

    0522a124060cc0f4abd9be779b83e63a897f85c5

  • SHA256

    084518f51a8b309a7e3f4ce87c226ccb0b17501fb59da982f7e3ba2513800272

  • SHA512

    37cd3ed7a202684e0d08b293cc78bfad39c408d0c939d05ddecfad2d289001b5dcac14c953875457b9812069dec8f384bff56fba16fd3f1c99ff5d6ad5290cf0

  • SSDEEP

    6144:T9KOQS4vXll7L1W2L4wC6pilCCHeLnbTermLtyMNda:TsvXlllh8wLp3CkBK

Malware Config

Targets

    • Target

      5eea4946116a52dac4d073b9ff3b91c5_JaffaCakes118

    • Size

      315KB

    • MD5

      5eea4946116a52dac4d073b9ff3b91c5

    • SHA1

      0522a124060cc0f4abd9be779b83e63a897f85c5

    • SHA256

      084518f51a8b309a7e3f4ce87c226ccb0b17501fb59da982f7e3ba2513800272

    • SHA512

      37cd3ed7a202684e0d08b293cc78bfad39c408d0c939d05ddecfad2d289001b5dcac14c953875457b9812069dec8f384bff56fba16fd3f1c99ff5d6ad5290cf0

    • SSDEEP

      6144:T9KOQS4vXll7L1W2L4wC6pilCCHeLnbTermLtyMNda:TsvXlllh8wLp3CkBK

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VirtualBox drivers on disk

    • ModiLoader Second Stage

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      883eff06ac96966270731e4e22817e11

    • SHA1

      523c87c98236cbc04430e87ec19b977595092ac8

    • SHA256

      44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

    • SHA512

      60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    • SSDEEP

      96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u

    Score
    3/10
    • Target

      AnimGif.dll

    • Size

      87KB

    • MD5

      aa0883f08dc5c46fe49534b7e2efc56b

    • SHA1

      3daa11019666650e7983d052691ecca0e868ce36

    • SHA256

      e9065c1039072792fa57e901415275edd64bdd0a79e0c0d5aa75b653f38f68d3

    • SHA512

      33722373e4545c32f2521db407a2322f25b61a50db9d5d913e4e9087e9171dbb251807884b1788d1ba0cc7c3460cb927540ad6b55a4a4eb9a063738f028701fb

    • SSDEEP

      1536:0zchUGlwhpu3R7gl7slcf3B3PjZ4tky9ttQc34EDHAW5dc86wu3duGMGODTrLTsk:STGlwzu3R7wPlQpIELAkvxu3or/r

    Score
    10/10
    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • ModiLoader Second Stage

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

3
T1497

Modify Registry

2
T1112

Discovery

Software Discovery

1
T1518

Query Registry

5
T1012

Virtualization/Sandbox Evasion

3
T1497

File and Directory Discovery

1
T1083

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks