General
-
Target
JaffaCakes118_609f07ac8cdf111e6f24e1728174abec
-
Size
411KB
-
Sample
250101-zrvpzstnhz
-
MD5
609f07ac8cdf111e6f24e1728174abec
-
SHA1
2ebfbcfa88f30440bd0eeaa3a4e8ee4f68e6e626
-
SHA256
9f92890c641dd9ae077692a49f47f96174f62b079790b83554dbc3974977cb65
-
SHA512
55955f2f02ab073364f8e45b405e484470c84fc561e22310274605d30c3ec447fabdb17f200c8c9360e0eae1e461a97d43fb6b84a38b14f80e98f17db5f436ae
-
SSDEEP
6144:K8O2/InoEK82ozZTLBRTp02iL6kJQKcdm5fyu1fhCKgteB1YCt7:Kq/IxF2ozZTD91iL6SKu1fhCKg+
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_609f07ac8cdf111e6f24e1728174abec.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_609f07ac8cdf111e6f24e1728174abec.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_609f07ac8cdf111e6f24e1728174abec
-
Size
411KB
-
MD5
609f07ac8cdf111e6f24e1728174abec
-
SHA1
2ebfbcfa88f30440bd0eeaa3a4e8ee4f68e6e626
-
SHA256
9f92890c641dd9ae077692a49f47f96174f62b079790b83554dbc3974977cb65
-
SHA512
55955f2f02ab073364f8e45b405e484470c84fc561e22310274605d30c3ec447fabdb17f200c8c9360e0eae1e461a97d43fb6b84a38b14f80e98f17db5f436ae
-
SSDEEP
6144:K8O2/InoEK82ozZTLBRTp02iL6kJQKcdm5fyu1fhCKgteB1YCt7:Kq/IxF2ozZTD91iL6SKu1fhCKg+
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VirtualBox drivers on disk
-
ModiLoader Second Stage
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2