Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2024 11:50

General

  • Target

    129ba487da065ef14c609bc533fe906b_JaffaCakes118.exe

  • Size

    359KB

  • MD5

    129ba487da065ef14c609bc533fe906b

  • SHA1

    7f60c9419356ba46e134821b43361dd64e9175c6

  • SHA256

    d4165866be3c391c105ad37f159754c67df29548328c3384e6d28eac752ebb30

  • SHA512

    883f2c0af7c5cefeed37de8e8f7e268ebc0fd98c6ad099493a6e04e9ddee8dc1601115ae8b61ace24937be88139f247dbcbd3f37d94e0b004b93266d9a42f7df

  • SSDEEP

    6144:AVwrcMnYrT3dPpkFAPHXKcrzpz4pH1y8p39ijXuCN1/sIx9:mwrctrx4Af6wp4pHQ8J9ij+CN7D

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 57 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\129ba487da065ef14c609bc533fe906b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\129ba487da065ef14c609bc533fe906b_JaffaCakes118.exe"
    1⤵
      PID:2316
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:q3XJZV1="g";X0i=new%20ActiveXObject("WScript.Shell");Xzdj5="bmHvwCW";N00exd=X0i.RegRead("HKCU\\software\\etTpFC\\BfgV7J5");LBlTIkv3="I";eval(N00exd);L0DfI8="s0LZg";
      1⤵
      • Process spawned unexpected child process
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:bnsysg
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2440
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:2928

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\7976b135\51dd6a1e.bat

        Filesize

        73B

        MD5

        811be83d03f311a2c219477eb9daafc9

        SHA1

        aa5ff34b0a51370c3bbc0c5e60f570814b4114a4

        SHA256

        d8fe518037c7eb92329c94e2a977a32225f30cf48c62f6e7d0a2b09cc33f7c1d

        SHA512

        d4ec86a4d2c49086e9de8c1fec16e7a70c28d01690d6171dc146b70318df5065d35c3c4e03608a20a425d6f5b719f0ef618175a5b4910613308eda78d12129c5

      • C:\Users\Admin\AppData\Local\7976b135\a6c8ed05.939cc2701

        Filesize

        28KB

        MD5

        ee93d22cc0699da3868bd92ccfcddbac

        SHA1

        1cb7e64c502c812348166653329fb8b9b1938427

        SHA256

        b5caa39123809006858534b451e5e8b3f10a8af9303e3406678c880e44275548

        SHA512

        581fa51c650cd2e033d883d918b670083aec850eda37e9d29e46558edbbd4a8d803e26fc31e6a59464daddcfaaf005f8e7755c1d5293e5379ec1611f92859be7

      • memory/2316-3-0x0000000000400000-0x000000000045FCB0-memory.dmp

        Filesize

        383KB

      • memory/2316-6-0x0000000001E00000-0x0000000001EDC000-memory.dmp

        Filesize

        880KB

      • memory/2316-4-0x0000000001E00000-0x0000000001EDC000-memory.dmp

        Filesize

        880KB

      • memory/2316-7-0x0000000001E00000-0x0000000001EDC000-memory.dmp

        Filesize

        880KB

      • memory/2316-55-0x0000000001E00000-0x0000000001EDC000-memory.dmp

        Filesize

        880KB

      • memory/2316-5-0x0000000001E00000-0x0000000001EDC000-memory.dmp

        Filesize

        880KB

      • memory/2316-8-0x0000000001E00000-0x0000000001EDC000-memory.dmp

        Filesize

        880KB

      • memory/2316-9-0x0000000001E00000-0x0000000001EDC000-memory.dmp

        Filesize

        880KB

      • memory/2316-2-0x0000000001E00000-0x0000000001EDC000-memory.dmp

        Filesize

        880KB

      • memory/2316-1-0x0000000000400000-0x000000000045FCB0-memory.dmp

        Filesize

        383KB

      • memory/2316-0-0x0000000000457000-0x0000000000459000-memory.dmp

        Filesize

        8KB

      • memory/2440-49-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-29-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-27-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-31-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-39-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-46-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-47-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-41-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-38-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-37-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-36-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-35-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-40-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-51-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-52-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-50-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-18-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-15-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-48-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-34-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-33-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-32-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-30-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-19-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-28-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-26-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-25-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-24-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-23-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-22-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-21-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2440-20-0x0000000000130000-0x000000000027A000-memory.dmp

        Filesize

        1.3MB

      • memory/2688-17-0x0000000006140000-0x000000000621C000-memory.dmp

        Filesize

        880KB

      • memory/2688-13-0x0000000005480000-0x0000000005481000-memory.dmp

        Filesize

        4KB

      • memory/2688-14-0x0000000006140000-0x000000000621C000-memory.dmp

        Filesize

        880KB

      • memory/2928-67-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-72-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-71-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-70-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-68-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-73-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-66-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-65-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-64-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-63-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-62-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-69-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-61-0x0000000000200000-0x000000000034A000-memory.dmp

        Filesize

        1.3MB