General

  • Target

    0931569294082db5bc50e4d2c857ebe6_JaffaCakes118

  • Size

    905KB

  • Sample

    240620-ygafmaydqk

  • MD5

    0931569294082db5bc50e4d2c857ebe6

  • SHA1

    d0b899ac729cd721cfbd1c854d0bccad121a221c

  • SHA256

    b7b69122f524005c5466759233911deb0397d1922b6c9ac77041f0190c5ed9cb

  • SHA512

    dc507e8fb96fff66fe88a2757dbd2753a97815b57e33fa97dc420d8aa3acd9326b5fdfcfa61d9d5bdb4d33b7253f66a7b51690578482401687b1e5f56da03dce

  • SSDEEP

    24576:YKwQrsiK3Sr0ckHCb2/xg348uS8o2wYyGv:YKl83VckHLf8uLoLGv

Malware Config

Targets

    • Target

      0931569294082db5bc50e4d2c857ebe6_JaffaCakes118

    • Size

      905KB

    • MD5

      0931569294082db5bc50e4d2c857ebe6

    • SHA1

      d0b899ac729cd721cfbd1c854d0bccad121a221c

    • SHA256

      b7b69122f524005c5466759233911deb0397d1922b6c9ac77041f0190c5ed9cb

    • SHA512

      dc507e8fb96fff66fe88a2757dbd2753a97815b57e33fa97dc420d8aa3acd9326b5fdfcfa61d9d5bdb4d33b7253f66a7b51690578482401687b1e5f56da03dce

    • SSDEEP

      24576:YKwQrsiK3Sr0ckHCb2/xg348uS8o2wYyGv:YKl83VckHLf8uLoLGv

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • UAC bypass

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks