General
-
Target
e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118
-
Size
1.1MB
-
Sample
240917-nelqrszgjr
-
MD5
e6b42f8c8473b3bd402cc577b7e7e45d
-
SHA1
d975f27316f663cd8c6f91c7e63258e757d92c52
-
SHA256
13bb8aa3ae4746aa10a58373be05d9fdbdf0fce8130bd3f0174ec80259b082ea
-
SHA512
39fbff56ab65c0b2dd254e58578e0106042dd6c0c33568193d535ea08dee68e3772495f1df5596dd69ebec2c21c01478a1e2ff3aeb6d30ce7b8cec312de54694
-
SSDEEP
24576:CsnRoeMFwf1IFdDjRf0zRCYG5K0QTKIEryivO6rG5MFlU/Mn68qPLIqv:CiieVf1If0oYG5eKkMO6KOn6829
Malware Config
Targets
-
-
Target
e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118
-
Size
1.1MB
-
MD5
e6b42f8c8473b3bd402cc577b7e7e45d
-
SHA1
d975f27316f663cd8c6f91c7e63258e757d92c52
-
SHA256
13bb8aa3ae4746aa10a58373be05d9fdbdf0fce8130bd3f0174ec80259b082ea
-
SHA512
39fbff56ab65c0b2dd254e58578e0106042dd6c0c33568193d535ea08dee68e3772495f1df5596dd69ebec2c21c01478a1e2ff3aeb6d30ce7b8cec312de54694
-
SSDEEP
24576:CsnRoeMFwf1IFdDjRf0zRCYG5K0QTKIEryivO6rG5MFlU/Mn68qPLIqv:CiieVf1If0oYG5eKkMO6KOn6829
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Deobfuscate/Decode Files or Information
Payload decoded via CertUtil.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Deobfuscate/Decode Files or Information
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1