Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 03:16

General

  • Target

    1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe

  • Size

    320KB

  • MD5

    1f4493c6c315bbc9277f1ad5e1e1953d

  • SHA1

    e93c1fb21763138995b2a1d79c89924b0c829e23

  • SHA256

    3fc6e9efa5bb4b7feb57f13f51bd5cd016e502e8947cc2f27abeb7ab2df31ce8

  • SHA512

    1e19e47e826156b3f620c1fe879a1e9b51b9a6cab2e91862318094c8e7f498a8eaf9011f1490f7eda437073fe2d78ab70799dd03437e780c3247e95ff17e40bd

  • SSDEEP

    6144:onhimZQWM3Ac7zfW2geZToVBkjM+jcBCvvU83FLOaTfVTjwo6:ohimZEQcX+2g0ToVBIcIvvU8dPG

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 53 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe
      2⤵
        PID:2216
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:m3Tbh3="dMpnk5";F01H=new%20ActiveXObject("WScript.Shell");osq8xQ="GpdZ9S";RTV9I1=F01H.RegRead("HKLM\\software\\Wow6432Node\\EiMXRDav\\ZBIAdIM");VrqWeeg9="IRtj";eval(RTV9I1);gFDMNu9="dSSu";
      1⤵
      • Process spawned unexpected child process
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:xpcpm
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1784
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:2100

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\529d1c\1bcd8a.lnk

        Filesize

        881B

        MD5

        66f141815a70dd94938f54490a6cb21d

        SHA1

        4615bdba8e80e4f04438ed1ba363510f15a25d00

        SHA256

        ac06e7109ee99802be05d03e51b97b483ee627ce48bb69908424a9151fd33129

        SHA512

        63cab3b4f6539ea8715ae65f9b0b2c702b20008aeeadd572dc607099e1c12f08e842130065d3fa0dde7b5ef71e7a196b4020a409a17bfc188ff0b9e200d89e42

      • C:\Users\Admin\AppData\Local\529d1c\4bd7f2.bat

        Filesize

        61B

        MD5

        7f145f9c460ee7bb55a3e7ad72a65f86

        SHA1

        39a73f2119c72ae27a166fff9ceb13859f6ac21b

        SHA256

        16e3704ce7a5f142fe817cd42cf9fd214341caf20a284c439457feb84515ddad

        SHA512

        1bfbf2931d904ae08d6552267b918e8f7e6cce6d142f0c950c74e2e601dc3cf36428fcddf67ad3cae1acb565edf4871c0c3c165be88c34d3c81b68b8d7c1a75f

      • C:\Users\Admin\AppData\Local\529d1c\7fd902.cbe78f1

        Filesize

        33KB

        MD5

        31a74cc3c704cbe8944c226fbedf1a2d

        SHA1

        bfe74df136ebe86e474b77d485994c7aa791d60b

        SHA256

        3a942d30a45ff6021fa92559381af77ec414347502a9d55b45732285ccc7b33b

        SHA512

        7f9b3105aa4f7d37b2b6dd8bfe1c98570dd4efc0399772406d8e4e2ce40903690dd3be0fda4b62e487f7c760e8f7e891631c96106fb502eddbfd9395eb999128

      • C:\Users\Admin\AppData\Roaming\4f4be6\d3bc4d.cbe78f1

        Filesize

        42KB

        MD5

        a5023c4aba53181cc11d540e61d2ca61

        SHA1

        a8c8e95495feba63618c7550b303d631643dbd85

        SHA256

        3ec37de2c88a330d30cac07e12d4cda2b454352537c293bae55f8a7a25bb0f35

        SHA512

        d6b46a6b8a6502c140cf457ed1a41fc13d97c4c9bfceb950fd201643d0e56718b39898170b72652a9d8f3530297f46e4586f0043bbed252f54f91a38ce4c10eb

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54b061.lnk

        Filesize

        991B

        MD5

        48c37ed818e3e1b986f0e65de0abb48d

        SHA1

        61b0b3bb1018c09543c0d3f37ec8458dc0434432

        SHA256

        945cbd049408f030e3d7439aa896370ee8a8e1c20ecbb682e40b2d30288e3902

        SHA512

        8ad5426187a832409cefc9964022ed792160f68b9dfb0611ce42980fb90b6663070cffb502df41db64a93486469107511095f83a26d1018ad4003d51efe26a41

      • memory/1784-50-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-54-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-74-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-45-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-47-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-49-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-51-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-53-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-66-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-55-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-56-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-31-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-33-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-57-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-38-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-35-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-41-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-36-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-44-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-37-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-48-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-39-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-52-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-43-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-42-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-46-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-40-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-62-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-63-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-65-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-67-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1784-64-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1940-34-0x00000000060E0000-0x00000000061B6000-memory.dmp

        Filesize

        856KB

      • memory/1940-29-0x00000000060E0000-0x00000000061B6000-memory.dmp

        Filesize

        856KB

      • memory/2100-76-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

      • memory/2100-78-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

      • memory/2100-79-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

      • memory/2100-75-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

      • memory/2100-80-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

      • memory/2100-77-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

      • memory/2216-19-0x0000000001DE0000-0x0000000001EB6000-memory.dmp

        Filesize

        856KB

      • memory/2216-0-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2216-4-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2216-2-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2216-16-0x0000000001DE0000-0x0000000001EB6000-memory.dmp

        Filesize

        856KB

      • memory/2216-17-0x0000000001DE0000-0x0000000001EB6000-memory.dmp

        Filesize

        856KB

      • memory/2216-14-0x0000000001DE0000-0x0000000001EB6000-memory.dmp

        Filesize

        856KB

      • memory/2216-12-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2216-20-0x0000000001DE0000-0x0000000001EB6000-memory.dmp

        Filesize

        856KB

      • memory/2216-10-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2216-8-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2216-6-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2216-18-0x0000000001DE0000-0x0000000001EB6000-memory.dmp

        Filesize

        856KB

      • memory/2216-13-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2216-15-0x0000000001DE0000-0x0000000001EB6000-memory.dmp

        Filesize

        856KB