General
-
Target
5eea4946116a52dac4d073b9ff3b91c5_JaffaCakes118
-
Size
315KB
-
Sample
240520-nzne4aaf3t
-
MD5
5eea4946116a52dac4d073b9ff3b91c5
-
SHA1
0522a124060cc0f4abd9be779b83e63a897f85c5
-
SHA256
084518f51a8b309a7e3f4ce87c226ccb0b17501fb59da982f7e3ba2513800272
-
SHA512
37cd3ed7a202684e0d08b293cc78bfad39c408d0c939d05ddecfad2d289001b5dcac14c953875457b9812069dec8f384bff56fba16fd3f1c99ff5d6ad5290cf0
-
SSDEEP
6144:T9KOQS4vXll7L1W2L4wC6pilCCHeLnbTermLtyMNda:TsvXlllh8wLp3CkBK
Static task
static1
Behavioral task
behavioral1
Sample
5eea4946116a52dac4d073b9ff3b91c5_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5eea4946116a52dac4d073b9ff3b91c5_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
AnimGif.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
AnimGif.dll
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
5eea4946116a52dac4d073b9ff3b91c5_JaffaCakes118
-
Size
315KB
-
MD5
5eea4946116a52dac4d073b9ff3b91c5
-
SHA1
0522a124060cc0f4abd9be779b83e63a897f85c5
-
SHA256
084518f51a8b309a7e3f4ce87c226ccb0b17501fb59da982f7e3ba2513800272
-
SHA512
37cd3ed7a202684e0d08b293cc78bfad39c408d0c939d05ddecfad2d289001b5dcac14c953875457b9812069dec8f384bff56fba16fd3f1c99ff5d6ad5290cf0
-
SSDEEP
6144:T9KOQS4vXll7L1W2L4wC6pilCCHeLnbTermLtyMNda:TsvXlllh8wLp3CkBK
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VirtualBox drivers on disk
-
ModiLoader Second Stage
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
883eff06ac96966270731e4e22817e11
-
SHA1
523c87c98236cbc04430e87ec19b977595092ac8
-
SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
-
SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
SSDEEP
96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u
Score3/10 -
-
-
Target
AnimGif.dll
-
Size
87KB
-
MD5
aa0883f08dc5c46fe49534b7e2efc56b
-
SHA1
3daa11019666650e7983d052691ecca0e868ce36
-
SHA256
e9065c1039072792fa57e901415275edd64bdd0a79e0c0d5aa75b653f38f68d3
-
SHA512
33722373e4545c32f2521db407a2322f25b61a50db9d5d913e4e9087e9171dbb251807884b1788d1ba0cc7c3460cb927540ad6b55a4a4eb9a063738f028701fb
-
SSDEEP
1536:0zchUGlwhpu3R7gl7slcf3B3PjZ4tky9ttQc34EDHAW5dc86wu3duGMGODTrLTsk:STGlwzu3R7wPlQpIELAkvxu3or/r
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1