Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 22:28

General

  • Target

    21ffacb3767e2260c5dbe4adbad48fa2_JaffaCakes118.exe

  • Size

    331KB

  • MD5

    21ffacb3767e2260c5dbe4adbad48fa2

  • SHA1

    d682781f7a8628793de762ad06c490be3632e016

  • SHA256

    e7dc46c3427d3562898320310a9021a22af1845610842c70b08dd11eba7fe242

  • SHA512

    110c4e6fa8057d4b56624d92425dc43da8de3d5eadb7c70dc17d27c75e095dc0ed5c959ae34ba0e3c855816f208fc6cdac7d8ec6f310df1543ef378d413265d4

  • SSDEEP

    6144:rTlX2afUVMJnGGYONpiG/rpdOpMvh6EEpv6UIFcqiWEiHUpl:nlX2afBFOyXbaqigUr

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 55 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21ffacb3767e2260c5dbe4adbad48fa2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\21ffacb3767e2260c5dbe4adbad48fa2_JaffaCakes118.exe"
    1⤵
      PID:2168
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:pvP93qh="TrSWx6z";W9Q=new%20ActiveXObject("WScript.Shell");xhTJ4yob="7QuuH";ANz6n=W9Q.RegRead("HKCU\\software\\7Gja7D6X2K\\grGe3nw4Mv");M1UXB8m="QY";eval(ANz6n);IeZkj1ju="xa";
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:rftbhd
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3044
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2428
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1860

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\a00526b\1dee67a.c9c2c4da

        Filesize

        12KB

        MD5

        77828fc7fab48026372bede2476971b1

        SHA1

        22d63a228266d0c230cf452fcdf9e7385ef10591

        SHA256

        f1d20c7a45d8b9aab440857437e8cd5b953ae6e8b9062128217cbaa1b18696a1

        SHA512

        c7246a48f3aff7323777a21b3e27c2fa0c0a22692954b24b8132064530d907b7a3c2c68b23604fb98dcfd941c86847b2af163969bcb117e3b0ceef8fae3f547e

      • C:\Users\Admin\AppData\Local\a00526b\a911cc4.bat

        Filesize

        70B

        MD5

        726b2cce04546bc1307972e983301b52

        SHA1

        72a64c03ca0a2d542ad3c898e0b4479e16eacf7d

        SHA256

        5f4ad918d44d92b4366349f79191c5fc71a233eeddbbff7a1a435da941659b19

        SHA512

        a66a39d71edbedd5848b78480eb6bb5c77d26b0478fe50f08e600e47e455a7a898211b82c67b6c15c3606f1d4ee92810be6cd41827266c50bda026528c135e72

      • memory/1860-63-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-73-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-66-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-68-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-69-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-67-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-65-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-64-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-72-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-62-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-70-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-71-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/1860-61-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

      • memory/2168-3-0x0000000000400000-0x000000000045A5E8-memory.dmp

        Filesize

        361KB

      • memory/2168-6-0x0000000000310000-0x00000000003EC000-memory.dmp

        Filesize

        880KB

      • memory/2168-7-0x0000000000310000-0x00000000003EC000-memory.dmp

        Filesize

        880KB

      • memory/2168-9-0x0000000000310000-0x00000000003EC000-memory.dmp

        Filesize

        880KB

      • memory/2168-8-0x0000000000310000-0x00000000003EC000-memory.dmp

        Filesize

        880KB

      • memory/2168-0-0x0000000000452000-0x0000000000454000-memory.dmp

        Filesize

        8KB

      • memory/2168-55-0x0000000000310000-0x00000000003EC000-memory.dmp

        Filesize

        880KB

      • memory/2168-1-0x0000000000400000-0x000000000045A5E8-memory.dmp

        Filesize

        361KB

      • memory/2168-2-0x0000000000310000-0x00000000003EC000-memory.dmp

        Filesize

        880KB

      • memory/2168-4-0x0000000000310000-0x00000000003EC000-memory.dmp

        Filesize

        880KB

      • memory/2428-49-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-50-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-20-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-40-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-39-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-38-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-37-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-36-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-41-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-46-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-21-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-30-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-31-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-32-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-52-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-47-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-48-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-29-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-51-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-26-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-15-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-35-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-28-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-27-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-19-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-25-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-24-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-23-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-34-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-33-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-22-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/2428-18-0x0000000000270000-0x00000000003BA000-memory.dmp

        Filesize

        1.3MB

      • memory/3044-17-0x0000000006140000-0x000000000621C000-memory.dmp

        Filesize

        880KB

      • memory/3044-14-0x0000000006140000-0x000000000621C000-memory.dmp

        Filesize

        880KB

      • memory/3044-13-0x0000000002D90000-0x0000000002D91000-memory.dmp

        Filesize

        4KB