General

  • Target

    6822fe6411396358172e3b0675f18233_JaffaCakes118

  • Size

    477KB

  • Sample

    240522-wpedfabc31

  • MD5

    6822fe6411396358172e3b0675f18233

  • SHA1

    82af7f3f4cae07f2f2d3cb68307400995e023297

  • SHA256

    c685f77ec783db7f4a61617c9dd6fc9dccee8ad7465471e048169c5604070e9c

  • SHA512

    9fd00095579de7ddd4ab2c0f9be4a4be0e48f9a66f9fe65d03e090e84911de509b850269a44254d944a50fa1de1e86244b0a5b7c93a069979c0ee71598ae9227

  • SSDEEP

    12288:jtca1qBsng2hJ+0v4ajM/InREpCh/XySbkeSbk6k9:X1MsJA/InR8DSgeSg6k9

Malware Config

Targets

    • Target

      6822fe6411396358172e3b0675f18233_JaffaCakes118

    • Size

      477KB

    • MD5

      6822fe6411396358172e3b0675f18233

    • SHA1

      82af7f3f4cae07f2f2d3cb68307400995e023297

    • SHA256

      c685f77ec783db7f4a61617c9dd6fc9dccee8ad7465471e048169c5604070e9c

    • SHA512

      9fd00095579de7ddd4ab2c0f9be4a4be0e48f9a66f9fe65d03e090e84911de509b850269a44254d944a50fa1de1e86244b0a5b7c93a069979c0ee71598ae9227

    • SSDEEP

      12288:jtca1qBsng2hJ+0v4ajM/InREpCh/XySbkeSbk6k9:X1MsJA/InR8DSgeSg6k9

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Looks for VirtualBox Guest Additions in registry

    • ModiLoader Second Stage

    • Adds policy Run key to start application

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

3
T1112

Discovery

Software Discovery

1
T1518

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Tasks