Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 10:25

General

  • Target

    24694fdfdf16084f4e39a683455ddac0_JaffaCakes118.exe

  • Size

    420KB

  • MD5

    24694fdfdf16084f4e39a683455ddac0

  • SHA1

    a23dce4b948395f8d448006adc3ab71a9dd6abb5

  • SHA256

    a160c05756d81a76a8298b90160999711caa853d5d17771c6bef0d52c38910ff

  • SHA512

    c25983e652d55c9160e6de86e9b3b3736f8fc175d800da5401ec7e51dbd243f4af1d943ae879a9525008323ea1b1310a2cf08e3e690952e2158a34b5086d9db1

  • SSDEEP

    6144:Na/SLBjqbdiT+3mHFfutZTP0P3gXkHclSTu8yfYsbHmze84C3SU8rp0xe:QSL8bugT0PwEhiGK8B3Op0g

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 60 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24694fdfdf16084f4e39a683455ddac0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\24694fdfdf16084f4e39a683455ddac0_JaffaCakes118.exe"
    1⤵
      PID:1132
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:oQUR7JS="p8iXyS";T5X3=new%20ActiveXObject("WScript.Shell");G4Kld4rkDc="g35IIYAgi";P7GAT4=T5X3.RegRead("HKLM\\software\\Wow6432Node\\0aYJO8\\r23Mdh4");UM4JIkN4fu="fL7NVp";eval(P7GAT4);hVjQE2t="PZ";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:numkkad
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1204

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\d3afae00\52d5d4d8.73caeeca8

        Filesize

        48KB

        MD5

        766e17c8572282256a3541aa73505f20

        SHA1

        36867a5ef661fa8eac848e9c0e8af9ab80f4d420

        SHA256

        41bdaff81ce61a4c762aacf4eebca7d0861df3df50900aa0fa09551166737f31

        SHA512

        66011086c0b72094bc57cc2e4d2cd966c55ff964d0cf211de1b27518cdaf3d446bac9ac2e2abcdd60d1b603529d2db9f14f004e7006cfdb845dbc1a3a7dcd9c1

      • C:\Users\Admin\AppData\Local\d3afae00\9a86c6c3.lnk

        Filesize

        897B

        MD5

        3887be6eb8444973d9dd466e5a543912

        SHA1

        04295926fbcddf1d4ef7ebf09efe7eb8e2cd1904

        SHA256

        5d6085d1f99e94c2f2f924b8be7c2b0cd4a934e83f262765683bcf4c04d8eb25

        SHA512

        f5db4156efe122238a1d8f4b8ef2940bb0101bf1232bbefaeb4a0f58f2cccf5fe3ecc2875dd7f2e75f94702717f0a73908dc168e7986ab7f9f9bd94e015d9893

      • C:\Users\Admin\AppData\Local\d3afae00\d2239679.bat

        Filesize

        67B

        MD5

        f2ae417dcfcbe11a00d1102e6b587247

        SHA1

        0078bd4798af0b8a717425f1a85a1ff2a70c4c37

        SHA256

        0dc66bcd192c0da909958e43407fb9c4eb212c0471e715e32555f9399549255b

        SHA512

        8fd8d7af58ce744f505ec537830104bab71f86e87f7184bb6f0b699c8eed5f68ffd97211c435771b76aae94c8a74f782b656923c0f61f7189349b744d76f7dea

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e795bdc5.lnk

        Filesize

        999B

        MD5

        50e56da39118aa17acfb3f4e21ea57e0

        SHA1

        a2cd926b92ab4bb3d86c9513f6466ed8e6b5182c

        SHA256

        1b76e895a3ad5e1ce19876944b63ebb677056d47f459e6f1e5cf517740f02dda

        SHA512

        ea23a597b56bba968ebb83415b0ceb85c5484cfe8e42ad936a3e6319e006d18873c3368279490d136caa3af295c685a6510ac60ea233af70492dfb5019fd512e

      • C:\Users\Admin\AppData\Roaming\e00a3efa\fe73a489.73caeeca8

        Filesize

        43KB

        MD5

        eeae615828cb386e4ee35669d02762ec

        SHA1

        03632d227ef2759ad71503ff84975fc26e42a716

        SHA256

        4a8e413e9baf1f796f34aeafff010a35fabba057d057bb24c75523e480a9816c

        SHA512

        cfeaa3342063bced908f42c93f6f0d2e1ad3caa6971edce57ba5a17bbae79f77246b5377500469dcc6c5d1cfb447e7d33b6a8dbd0b97a7ff64c767dfac26607c

      • memory/1132-4-0x0000000002090000-0x0000000002164000-memory.dmp

        Filesize

        848KB

      • memory/1132-5-0x0000000002090000-0x0000000002164000-memory.dmp

        Filesize

        848KB

      • memory/1132-3-0x0000000002090000-0x0000000002164000-memory.dmp

        Filesize

        848KB

      • memory/1132-8-0x0000000002090000-0x0000000002164000-memory.dmp

        Filesize

        848KB

      • memory/1132-9-0x0000000002090000-0x0000000002164000-memory.dmp

        Filesize

        848KB

      • memory/1132-6-0x0000000002090000-0x0000000002164000-memory.dmp

        Filesize

        848KB

      • memory/1132-7-0x0000000002090000-0x0000000002164000-memory.dmp

        Filesize

        848KB

      • memory/1132-1-0x0000000000330000-0x000000000036A000-memory.dmp

        Filesize

        232KB

      • memory/1132-0-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

      • memory/1132-2-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

      • memory/1204-66-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-71-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-64-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-65-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-70-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-73-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-75-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-79-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-67-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-68-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-69-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-82-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-72-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-74-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-76-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-77-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-78-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-80-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/1204-81-0x0000000000220000-0x000000000035E000-memory.dmp

        Filesize

        1.2MB

      • memory/2600-23-0x0000000006360000-0x0000000006434000-memory.dmp

        Filesize

        848KB

      • memory/2600-19-0x0000000006360000-0x0000000006434000-memory.dmp

        Filesize

        848KB

      • memory/2752-26-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-63-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-29-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-27-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-38-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-36-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-28-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-30-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-31-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-32-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-33-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-34-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-35-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-37-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-40-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-41-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-54-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-55-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-44-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-46-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-51-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-52-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-56-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-53-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-45-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-43-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-39-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-24-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-25-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-21-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB

      • memory/2752-20-0x0000000000260000-0x000000000039E000-memory.dmp

        Filesize

        1.2MB