Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 13:33

General

  • Target

    2511e56e5ffb06cbd33f769a7cde6c17_JaffaCakes118.exe

  • Size

    367KB

  • MD5

    2511e56e5ffb06cbd33f769a7cde6c17

  • SHA1

    b4d78cc3b23c4e368042f37b5cecdf6eacf1c079

  • SHA256

    320872520cd04fd34751cb726e156c84dbbdbecab8630b6c7f7b111bb85da6d4

  • SHA512

    b66776396d3e7aa2faefc427234b6aaec568526026edf71731c211c3a19f88056501922ce04b4dea1f6e20c43b29295755cd1e05e60d4424f7fbac22688c36f9

  • SSDEEP

    6144:I4Pz9rnSfE5SR7vyu93zujdmwoEoPNx2/CLZgDH7QPboLHXHnGkn:pn0Euqaj8ml6DEPboL3HGm

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 60 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2511e56e5ffb06cbd33f769a7cde6c17_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2511e56e5ffb06cbd33f769a7cde6c17_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\2511e56e5ffb06cbd33f769a7cde6c17_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2511e56e5ffb06cbd33f769a7cde6c17_JaffaCakes118.exe"
      2⤵
        PID:2572
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:GDGv3xQM="pfODgPMI";i9q=new%20ActiveXObject("WScript.Shell");eG5XVG3uL="2cHygB";rst1G=i9q.RegRead("HKLM\\software\\Wow6432Node\\FPaHSGwJK1\\hCBRdr4");ODtd3y="0fUeuPD";eval(rst1G);fpGoqp4s="JuTpOGK";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:kgwfvg
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:360

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\66a1e6\730ec6.lnk

        Filesize

        881B

        MD5

        0d77296273cdee70fb62bed3d701975f

        SHA1

        4dc6d27a0b816a251e76769eead3368ee0f3c426

        SHA256

        3ab5631278f52cf665c4601c3e25732ad55e852f5defb9568744f552f21b5834

        SHA512

        ca044be4a95decbeb272ba42e792358c5d5391af797a7d51bfd23fb378b8713a3f80bbf5700b5de442c38c78273aec2366962fc6545c19870a1242753b211c69

      • C:\Users\Admin\AppData\Local\66a1e6\9d0e99.bat

        Filesize

        61B

        MD5

        fee145988b03ddac71ed154b5117d9d3

        SHA1

        bbea418c35343ee6a01526675e95121d22b24f0d

        SHA256

        36fa6dfa6667111610585bdab4680341e6e4193ee612e3cca3272811007c6524

        SHA512

        3e5300e89ccf0d73f4ec9746801e72ac58823d53fb5979105d804c4152525492fcb8540e9905289258e41009b7ddf2aa3707dcc40b52511c4cd24eab428ddef2

      • C:\Users\Admin\AppData\Local\66a1e6\a56505.54ebcef

        Filesize

        47KB

        MD5

        da6543addd2f80d53abb45c3b77e567c

        SHA1

        ff79d73873b3b7b916d216d8e9cc24df0be46c9b

        SHA256

        3459d9d709c9b089b924b62abe9dbffc3ca9e87091d07d29d4788ed1103b13af

        SHA512

        87dd0547a86e713070c1b1a80599704c93b075574772ac446cb5b3e7b560fffb1de897d6da3f712d30a9430829cb95e103bfdb6d655ec666c931565921c058c0

      • C:\Users\Admin\AppData\Roaming\849415\7ed68e.54ebcef

        Filesize

        11KB

        MD5

        84d419d83c1e092d5af81e3322621f5d

        SHA1

        080dc5e49a86b80553b1eb1932368afde73645e6

        SHA256

        563df4ef70fb09624a1c93cb0a79c9804786b59455825ca120f2228918c4df2d

        SHA512

        d435e2e35a37af7e4e601b09eaaa03dab3ba18f80dc77abae6311a83dc6aeb57f0a9d65b8b9bcbc24f5defa70bcc6da3409de0e7284f75b59509d85e75279bda

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\daaa61.lnk

        Filesize

        991B

        MD5

        7ca4c61dde29263b8ba1e9432c7f8f9f

        SHA1

        dc2d459c98ecd2a06668249bb39707eb673270ee

        SHA256

        6a3559ed0c1071cbb5c341d1a4af3f9e92b074cc06d55577e8bce66df7597acb

        SHA512

        0ac6d64ab22d0d780648f4ad5db30b7873ad24897e83591c3db6a50f6c1582bd7e6d6d1974afb2db4ba1afbdba20acdaee51e441fa29daf17558f0aca55c60c7

      • memory/360-71-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-67-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-68-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-69-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-70-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-83-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-72-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-73-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-74-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-75-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-76-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-77-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-78-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-79-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-80-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-81-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/360-82-0x0000000000280000-0x00000000003C1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-28-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-30-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-56-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-55-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-49-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-48-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-47-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-45-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-44-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-43-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-42-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-41-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-40-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-66-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-58-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-59-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-54-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-38-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-31-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-29-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-27-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-57-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-22-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-23-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-32-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-33-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-34-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-35-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-36-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-37-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/1716-39-0x0000000000270000-0x00000000003B1000-memory.dmp

        Filesize

        1.3MB

      • memory/2420-21-0x00000000060D0000-0x00000000061A6000-memory.dmp

        Filesize

        856KB

      • memory/2420-25-0x00000000060D0000-0x00000000061A6000-memory.dmp

        Filesize

        856KB

      • memory/2572-9-0x00000000002E0000-0x00000000003B6000-memory.dmp

        Filesize

        856KB

      • memory/2572-8-0x00000000002E0000-0x00000000003B6000-memory.dmp

        Filesize

        856KB

      • memory/2572-11-0x00000000002E0000-0x00000000003B6000-memory.dmp

        Filesize

        856KB

      • memory/2572-12-0x00000000002E0000-0x00000000003B6000-memory.dmp

        Filesize

        856KB

      • memory/2572-2-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2572-10-0x00000000002E0000-0x00000000003B6000-memory.dmp

        Filesize

        856KB

      • memory/2572-7-0x00000000002E0000-0x00000000003B6000-memory.dmp

        Filesize

        856KB

      • memory/2572-6-0x00000000002E0000-0x00000000003B6000-memory.dmp

        Filesize

        856KB

      • memory/2572-5-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2572-4-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB