Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08-05-2024 00:08
General
-
Target
2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
-
Size
280KB
-
MD5
2255a6d2acb13100fa8a3c5f41c18e6a
-
SHA1
90144fa9929ee5a60804f55f8728366f270ee24a
-
SHA256
a55eceaf61aec51a64be7f8b9b2db0d7309b197dd9811378a619185b8887e25e
-
SHA512
77a1a43a50a5597f3d9da7a5cde063166214cdd30e1124dea7824c7241790984844d669a4fa2e6bbb3bd0947f9dc25ac0195ac1d65259d4f3d40f1d5009df540
-
SSDEEP
3072:M6+41Rx4dmFrSvLWG88MOE+cjqr3au5llnt6pCO4d+Lk24SBXpjihtly8rj3EY0Q:xVmLW/8MCp5llt6wFd5oPji7r5yTh34B
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 60 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe"2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:jQ5EYzc="4TMLuba";h72s=new%20ActiveXObject("WScript.Shell");hUi0XB0j="dWq4a3v";w50sTa=h72s.RegRead("HKLM\\software\\Wow6432Node\\BDoThICmlp\\FmdJLBt");F7uYBHoD="IeuF";eval(w50sTa);by3c0WEzU="rqWRw";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:aojxef2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\d3afae00\52d5d4d8.73caeeca8Filesize
9KB
MD52cacf5a4cfed3732b79f7ff60ae1e37c
SHA128d05477d8c337f3e8059b5a113038ed507c5543
SHA2565685cbf2872de3a99bc488227def0e3ce23b213a4f69451c441fd7a6e24a2b3f
SHA512da92f062f8cb4a1e1818e88d28446f79994cb797ece68f969917ed0fd223c3a7aaad50d4b175a9ad45dfc871ab62c448ce4f64a4a1c3e1a0105597b4c4c9160d
-
C:\Users\Admin\AppData\Local\d3afae00\9a86c6c3.lnkFilesize
897B
MD5a92483561521734b6623cef20732fdd1
SHA104383522970e97d293cf512703c8f52b651b4034
SHA25614fe397ec720047267c23536cb6cc73b911a54e1b09104a02e7f0dc0b5fbf8b7
SHA512977e25381bf6c39334ffd9a21822168182a8d6d0357a70ab4f50ff8785bd9da9ff227e4cf240e55612faa0505a8061a8c165ea8afda8c1603d39150e1343bed8
-
C:\Users\Admin\AppData\Local\d3afae00\d2239679.batFilesize
67B
MD5f2ae417dcfcbe11a00d1102e6b587247
SHA10078bd4798af0b8a717425f1a85a1ff2a70c4c37
SHA2560dc66bcd192c0da909958e43407fb9c4eb212c0471e715e32555f9399549255b
SHA5128fd8d7af58ce744f505ec537830104bab71f86e87f7184bb6f0b699c8eed5f68ffd97211c435771b76aae94c8a74f782b656923c0f61f7189349b744d76f7dea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e795bdc5.lnkFilesize
999B
MD5659f6c112b2f013e65491750969c0d01
SHA10335851b16792bfee657c1bf618b68d4161c35d3
SHA256d81ea0121701e02daf3c4c8a33272ea0570aa38d838aa5bc1df21dd2e745353b
SHA512b09d3c14d27b771b3c831c1fe7d321c08ea0864a42a6fa300000ea41331c0acd6bc8659865d173022a89f25f7c4defdadd48e28916ed4229b2a244b3b4701042
-
C:\Users\Admin\AppData\Roaming\e00a3efa\fe73a489.73caeeca8Filesize
7KB
MD5e29d50165298aecb6e2acbadbce59342
SHA17904d2cce229b247ba13be33b1a7084516d5a8d1
SHA256e498e261aa1a33bad74c37a65510381f011f35e3c70043345551dad676cc5524
SHA5121a4de70ac3358bcdbe586e222037f18878aaf5ee495baeb04a1f4d44fa451f22ecbb5119a11a85c0a497265f12e961b62254ccd6ad04869778edee2714fd8689
-
memory/1032-70-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-75-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-68-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-74-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-82-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-81-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-79-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-77-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-72-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-71-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-69-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-67-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-73-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-76-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-78-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1032-80-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/2332-2-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2332-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2332-5-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2332-7-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/2332-6-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/2332-8-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/2332-9-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/2332-12-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/2332-11-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/2332-10-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/2508-27-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-66-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-56-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-55-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-54-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-42-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-41-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-40-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-39-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-37-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-34-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-49-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-60-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-43-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-45-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-47-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-57-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-58-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-48-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-32-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-33-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-46-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-31-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-44-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-29-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-28-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-38-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-36-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-35-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-30-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-23-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2508-25-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/2740-26-0x00000000061B0000-0x0000000006286000-memory.dmpFilesize
856KB
-
memory/2740-21-0x00000000061B0000-0x0000000006286000-memory.dmpFilesize
856KB