General

  • Target

    7eaf8f10190ef4c9d52198b2d0936318_JaffaCakes118

  • Size

    315KB

  • Sample

    241030-lttzkszjew

  • MD5

    7eaf8f10190ef4c9d52198b2d0936318

  • SHA1

    b3728a97eee22170fa7d43928d017c4fd46e9076

  • SHA256

    224aac5b5fbe7d1d039b2ee4feb6d70a4368fcbd420e1a46360358283d5b9852

  • SHA512

    3dc66a518c62a1f46e64a4c2a8c596f00038f31898f446a8cfff5343e68f703e34444513f38ec67ffa0dde4932201d37677acee3946246a3448d2a5759c07c69

  • SSDEEP

    6144:T9KOQS4vXll7L1W2L4wC6pilCCHeLnbTermLtyMNdY:TsvXlllh8wLp3CkBo

Malware Config

Targets

    • Target

      7eaf8f10190ef4c9d52198b2d0936318_JaffaCakes118

    • Size

      315KB

    • MD5

      7eaf8f10190ef4c9d52198b2d0936318

    • SHA1

      b3728a97eee22170fa7d43928d017c4fd46e9076

    • SHA256

      224aac5b5fbe7d1d039b2ee4feb6d70a4368fcbd420e1a46360358283d5b9852

    • SHA512

      3dc66a518c62a1f46e64a4c2a8c596f00038f31898f446a8cfff5343e68f703e34444513f38ec67ffa0dde4932201d37677acee3946246a3448d2a5759c07c69

    • SSDEEP

      6144:T9KOQS4vXll7L1W2L4wC6pilCCHeLnbTermLtyMNdY:TsvXlllh8wLp3CkBo

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modiloader family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VirtualBox drivers on disk

    • ModiLoader Second Stage

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      883eff06ac96966270731e4e22817e11

    • SHA1

      523c87c98236cbc04430e87ec19b977595092ac8

    • SHA256

      44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

    • SHA512

      60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    • SSDEEP

      96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u

    Score
    3/10
    • Target

      AnimGif.dll

    • Size

      87KB

    • MD5

      aa0883f08dc5c46fe49534b7e2efc56b

    • SHA1

      3daa11019666650e7983d052691ecca0e868ce36

    • SHA256

      e9065c1039072792fa57e901415275edd64bdd0a79e0c0d5aa75b653f38f68d3

    • SHA512

      33722373e4545c32f2521db407a2322f25b61a50db9d5d913e4e9087e9171dbb251807884b1788d1ba0cc7c3460cb927540ad6b55a4a4eb9a063738f028701fb

    • SSDEEP

      1536:0zchUGlwhpu3R7gl7slcf3B3PjZ4tky9ttQc34EDHAW5dc86wu3duGMGODTrLTsk:STGlwzu3R7wPlQpIELAkvxu3or/r

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modiloader family

    • ModiLoader Second Stage

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks