General
-
Target
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118
-
Size
451KB
-
Sample
241101-f1gpyavrc1
-
MD5
841e3020571b7e88f6bdeb2feaae66ab
-
SHA1
74cd938eb712ec9ee46c4bc90fd33f100062bcba
-
SHA256
7becb47b7359803ce0c2e41b5900f6d15b14f53b04ed86d42c98ecababc7baf8
-
SHA512
5b0e69e3c85c3eb1c9b0bd50392d92ea6f7e7bf8f2283d4cd590355161948d3adff58d740c2373884fad89b582b1015b199125abcd95b56e7cf6c8f4e67e2d92
-
SSDEEP
12288:XHFIQcL99wRku+gY43RK9v00lfQv1dN8OqhdT+:XHEDgN3U9NW7N8OqD6
Malware Config
Targets
-
-
Target
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118
-
Size
451KB
-
MD5
841e3020571b7e88f6bdeb2feaae66ab
-
SHA1
74cd938eb712ec9ee46c4bc90fd33f100062bcba
-
SHA256
7becb47b7359803ce0c2e41b5900f6d15b14f53b04ed86d42c98ecababc7baf8
-
SHA512
5b0e69e3c85c3eb1c9b0bd50392d92ea6f7e7bf8f2283d4cd590355161948d3adff58d740c2373884fad89b582b1015b199125abcd95b56e7cf6c8f4e67e2d92
-
SSDEEP
12288:XHFIQcL99wRku+gY43RK9v00lfQv1dN8OqhdT+:XHEDgN3U9NW7N8OqD6
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service
-
Modiloader family
-
ModiLoader Second Stage
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4