General
-
Target
7eaf8f10190ef4c9d52198b2d0936318_JaffaCakes118
-
Size
315KB
-
Sample
241030-lttzkszjew
-
MD5
7eaf8f10190ef4c9d52198b2d0936318
-
SHA1
b3728a97eee22170fa7d43928d017c4fd46e9076
-
SHA256
224aac5b5fbe7d1d039b2ee4feb6d70a4368fcbd420e1a46360358283d5b9852
-
SHA512
3dc66a518c62a1f46e64a4c2a8c596f00038f31898f446a8cfff5343e68f703e34444513f38ec67ffa0dde4932201d37677acee3946246a3448d2a5759c07c69
-
SSDEEP
6144:T9KOQS4vXll7L1W2L4wC6pilCCHeLnbTermLtyMNdY:TsvXlllh8wLp3CkBo
Static task
static1
Behavioral task
behavioral1
Sample
7eaf8f10190ef4c9d52198b2d0936318_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7eaf8f10190ef4c9d52198b2d0936318_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
AnimGif.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
AnimGif.dll
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
7eaf8f10190ef4c9d52198b2d0936318_JaffaCakes118
-
Size
315KB
-
MD5
7eaf8f10190ef4c9d52198b2d0936318
-
SHA1
b3728a97eee22170fa7d43928d017c4fd46e9076
-
SHA256
224aac5b5fbe7d1d039b2ee4feb6d70a4368fcbd420e1a46360358283d5b9852
-
SHA512
3dc66a518c62a1f46e64a4c2a8c596f00038f31898f446a8cfff5343e68f703e34444513f38ec67ffa0dde4932201d37677acee3946246a3448d2a5759c07c69
-
SSDEEP
6144:T9KOQS4vXll7L1W2L4wC6pilCCHeLnbTermLtyMNdY:TsvXlllh8wLp3CkBo
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VirtualBox drivers on disk
-
ModiLoader Second Stage
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
883eff06ac96966270731e4e22817e11
-
SHA1
523c87c98236cbc04430e87ec19b977595092ac8
-
SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
-
SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
SSDEEP
96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u
Score3/10 -
-
-
Target
AnimGif.dll
-
Size
87KB
-
MD5
aa0883f08dc5c46fe49534b7e2efc56b
-
SHA1
3daa11019666650e7983d052691ecca0e868ce36
-
SHA256
e9065c1039072792fa57e901415275edd64bdd0a79e0c0d5aa75b653f38f68d3
-
SHA512
33722373e4545c32f2521db407a2322f25b61a50db9d5d913e4e9087e9171dbb251807884b1788d1ba0cc7c3460cb927540ad6b55a4a4eb9a063738f028701fb
-
SSDEEP
1536:0zchUGlwhpu3R7gl7slcf3B3PjZ4tky9ttQc34EDHAW5dc86wu3duGMGODTrLTsk:STGlwzu3R7wPlQpIELAkvxu3or/r
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1