General

  • Target

    66f636adfb8c7788221e29a2ad39c36b_JaffaCakes118

  • Size

    261KB

  • Sample

    240522-ml1ylaca24

  • MD5

    66f636adfb8c7788221e29a2ad39c36b

  • SHA1

    20b278745d2cf6d2df9688bdd58b4feace76576c

  • SHA256

    32cb28f0b9b96442d26e087c7aa42cc6f2ca47f77042cb055a1e92ef78972f0b

  • SHA512

    7e6b80cc25126d18f636b4fbd2c505b405b73e17ef9f77b5b5f47588420a7b9b348aa081a10bbcc6aeb4048995160eef51a1296967f488738988fb376a044e98

  • SSDEEP

    6144:JkGS17CZemTTwkkbBX5QAVPAjdYmHO40bozYqdtLkx:Jkl4T3wxxlPAjdYiODbYto

Malware Config

Targets

    • Target

      66f636adfb8c7788221e29a2ad39c36b_JaffaCakes118

    • Size

      261KB

    • MD5

      66f636adfb8c7788221e29a2ad39c36b

    • SHA1

      20b278745d2cf6d2df9688bdd58b4feace76576c

    • SHA256

      32cb28f0b9b96442d26e087c7aa42cc6f2ca47f77042cb055a1e92ef78972f0b

    • SHA512

      7e6b80cc25126d18f636b4fbd2c505b405b73e17ef9f77b5b5f47588420a7b9b348aa081a10bbcc6aeb4048995160eef51a1296967f488738988fb376a044e98

    • SSDEEP

      6144:JkGS17CZemTTwkkbBX5QAVPAjdYmHO40bozYqdtLkx:Jkl4T3wxxlPAjdYiODbYto

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VirtualBox drivers on disk

    • ModiLoader Second Stage

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

3
T1497

Modify Registry

2
T1112

Discovery

Software Discovery

1
T1518

Query Registry

5
T1012

Virtualization/Sandbox Evasion

3
T1497

File and Directory Discovery

1
T1083

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks