Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2024 02:00

General

  • Target

    112f4f28f7901335ac7fba24bc9f3fcd_JaffaCakes118.exe

  • Size

    308KB

  • MD5

    112f4f28f7901335ac7fba24bc9f3fcd

  • SHA1

    29d5bf2d13ba5f1e6f2c05d6db07157c6aa5083f

  • SHA256

    c46d7f3826dad22af4b540519bfd0d573ad2fd98b79071c26b1271f290c34008

  • SHA512

    954fbf4f8a137718f9994d8702af20c9fed80150893affe2fc70300dea92ffa112321cc29555cb849526797a17107614e52fab70448ad59de1ff9c7ed089be9d

  • SSDEEP

    6144:/LuWk0Hr9g0Y0XATMA6PDubTfknKEvR25VLXW3L/ejTKylY58X2t+b:/KCxbXKMyffkK2mxXW3L2qylgs44

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 53 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\112f4f28f7901335ac7fba24bc9f3fcd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\112f4f28f7901335ac7fba24bc9f3fcd_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Local\Temp\112f4f28f7901335ac7fba24bc9f3fcd_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\112f4f28f7901335ac7fba24bc9f3fcd_JaffaCakes118.exe
      2⤵
        PID:2060
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:ZDY56JdS="wiKm";B6L8=new%20ActiveXObject("WScript.Shell");aN8NaM="F5w";q8JFW=B6L8.RegRead("HKLM\\software\\Wow6432Node\\AlMsph\\tEFNPqY");B8VFfDS="q";eval(q8JFW);J3uTy="zQ3mT";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:ifsdbbe
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\529d1c\1bcd8a.lnk

        Filesize

        881B

        MD5

        d0a3fbe88c3f61c7b8ec51664558c563

        SHA1

        db209447ea53c1a3cc72db99db8fd56ebd4e3610

        SHA256

        8fc0dd4419bdefda068b3b1db4a7e264fb638ae1f08562310905db8011cf4f10

        SHA512

        0e2a3c24cbde1ef2e7355939910b2d10ade1d60bb11f25662fdc33c6044ce61597658308a7a7fe5611a7f9253ded3580e66768eb34e26e2266aaf3c253629363

      • C:\Users\Admin\AppData\Local\529d1c\4bd7f2.bat

        Filesize

        61B

        MD5

        7f145f9c460ee7bb55a3e7ad72a65f86

        SHA1

        39a73f2119c72ae27a166fff9ceb13859f6ac21b

        SHA256

        16e3704ce7a5f142fe817cd42cf9fd214341caf20a284c439457feb84515ddad

        SHA512

        1bfbf2931d904ae08d6552267b918e8f7e6cce6d142f0c950c74e2e601dc3cf36428fcddf67ad3cae1acb565edf4871c0c3c165be88c34d3c81b68b8d7c1a75f

      • C:\Users\Admin\AppData\Local\529d1c\7fd902.cbe78f1

        Filesize

        35KB

        MD5

        38b2e1084ab75fa05a5ee206f3976a45

        SHA1

        ac1cd59264cac1f0eebbe0bc5c469c4136afcffe

        SHA256

        638d165f6cd3dbcbec9b6274bec68d45d2476f97b9a1a4d3f3584b2f4e5cff69

        SHA512

        57d9b0875b8cf991e8c27ecdd93aaa4bb4786ced51f957b63494471b756fe822025fb2f4b5d140f7418dac638fc9f7b792737a8058bfdd2d0e4b84a1989be5dd

      • C:\Users\Admin\AppData\Roaming\4f4be6\d3bc4d.cbe78f1

        Filesize

        18KB

        MD5

        c156766446b73bdb53da4afd77d4657b

        SHA1

        048c03d62a389139287b0e847347576ba07f1617

        SHA256

        b1fc9e41aad0230f75bf1aaf95703efabad164341fd0472b41ff0303bedda274

        SHA512

        63c3731e64bb7940979131b3f127f6d6cfc12b9a9b406204e077c86f7d2bedb65bc3e2eaa0918039c502f05493ff25d8fc8e873d2d02ecb7dbf808d581eb2774

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54b061.lnk

        Filesize

        991B

        MD5

        8ac118ccf74f5910b50fa47c975c8f3b

        SHA1

        8d1b75ca704b9f5835652abdfab68e23fcbe610b

        SHA256

        1878308c8f1984d41063449e816b65f60aea88b06a3f70730e1e147504492ffc

        SHA512

        f1e9f1228abd5470c59f23621aa0ab72534aecf6928f1e89318e15bd797f92d16e2c9b59411be906d4ed61679eb06c0c5898f509b3c8c438cff226cf35f6d71b

      • memory/1612-80-0x0000000000180000-0x00000000002C1000-memory.dmp

        Filesize

        1.3MB

      • memory/1612-85-0x0000000000180000-0x00000000002C1000-memory.dmp

        Filesize

        1.3MB

      • memory/1612-84-0x0000000000180000-0x00000000002C1000-memory.dmp

        Filesize

        1.3MB

      • memory/1612-83-0x0000000000180000-0x00000000002C1000-memory.dmp

        Filesize

        1.3MB

      • memory/1612-82-0x0000000000180000-0x00000000002C1000-memory.dmp

        Filesize

        1.3MB

      • memory/1612-81-0x0000000000180000-0x00000000002C1000-memory.dmp

        Filesize

        1.3MB

      • memory/2060-2-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2060-14-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2060-19-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2060-20-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2060-18-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2060-16-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2060-15-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2060-17-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2060-13-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2060-0-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2060-4-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2060-6-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2060-10-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2060-12-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2060-8-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2632-42-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-65-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-41-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-55-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-39-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-73-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-44-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-47-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-56-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-54-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-53-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-74-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-52-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-51-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-50-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-67-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-66-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-38-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-63-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-62-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-57-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-46-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-45-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-49-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-48-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-37-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-36-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-35-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-43-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-40-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-31-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2632-33-0x0000000000150000-0x0000000000291000-memory.dmp

        Filesize

        1.3MB

      • memory/2816-34-0x00000000061C0000-0x0000000006296000-memory.dmp

        Filesize

        856KB

      • memory/2816-29-0x00000000061C0000-0x0000000006296000-memory.dmp

        Filesize

        856KB