General

  • Target

    17843010538.zip

  • Size

    314KB

  • Sample

    240621-jre2jasanb

  • MD5

    a877963192fc54eea17d6b6b32d5c76b

  • SHA1

    369adbeac2c33ab22d486445cb80973fda3ae27d

  • SHA256

    4ac8a599fac8f874303b99472b650e06ddd8ec3e1456b364c577f867ab4b9c72

  • SHA512

    db286b39d3ad4f398355dfd3c25eebf995be8d2be99fb12377debb334abae3673eb7a96371b3ff9cecfe539495c00313e81d8ef5d71e44a80e7f80dafeca2285

  • SSDEEP

    6144:/8BnrY6Dv+Z6AGsHs9yI/D34zr5xvXFlGx6g9ais7igYb5Vf:arYEaTGsM9yVxvXHGxvLSYHf

Malware Config

Targets

    • Target

      e93ea2c9e689a35ef77e597a4cf34409f9c02dd74790716eae060304995d6289

    • Size

      386KB

    • MD5

      b44a8dbe40cf3d75a23d5b991246249b

    • SHA1

      78f70912abd3599935dd15d12428b41bee81e452

    • SHA256

      e93ea2c9e689a35ef77e597a4cf34409f9c02dd74790716eae060304995d6289

    • SHA512

      9dbdd06ba87fb1478c07bf97facf69e079553393c3905afc960ea1bb5727aa59b260bd77652b3c877de518234875f6a8fb7fd82096c9049578ae143d47609251

    • SSDEEP

      6144:JzYyFEqhqQK0TNhueSIfpzDx0J6Mml61EqIMiFNEnpIxI62:T1oQ1TbnRHclBIMiQpU2

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VirtualBox drivers on disk

    • ModiLoader Second Stage

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks