Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
12-05-2024 06:31
General
-
Target
38bba39c2139e77f4fecf128d25d583a_JaffaCakes118.exe
-
Size
265KB
-
MD5
38bba39c2139e77f4fecf128d25d583a
-
SHA1
2fbc7c25b1909e4cadae63caec0b902967072b1f
-
SHA256
6d9d58f592af50d202d9504db5ae94bef12903d6930d9cb0b7093a6eb6de662a
-
SHA512
62daacb43e2e872bdbe3012432004b8ff642670e185ea534e7b32f16d06957eefb30715875beb7e6170a423c2a08015247cb12579866439908d323f5f6cd72d2
-
SSDEEP
6144:AAZ4m1VLp8UBoCcp2XvUU+NK4JSaXhAzRTkaUHgX:AHmXo9XbJSaXmzRXUAX
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 60 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\38bba39c2139e77f4fecf128d25d583a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\38bba39c2139e77f4fecf128d25d583a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\38bba39c2139e77f4fecf128d25d583a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\38bba39c2139e77f4fecf128d25d583a_JaffaCakes118.exe"2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:UOR8aYBnS="oDGNeH";Aa4=new%20ActiveXObject("WScript.Shell");iSlJOg6i="W";tTM4n=Aa4.RegRead("HKLM\\software\\Wow6432Node\\7DG7pBYE\\5WI1EVB5");ubLvqsL62O="QSe";eval(tTM4n);kbFjw1BDm="zb8qUUT";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:faox2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\7358d4\2d9c5e.1879f4fFilesize
25KB
MD58b5afbe6c64773491d30bc27f34142a4
SHA12bfe3261f94466beb4676d483f4d5d731086f648
SHA256bdcf31abd0ae5f92ac5aaa91bd3b83bbbf932fcf16173b57537d1d113187125e
SHA5124597c287f01c73e35dcaa163797c8630b9461a7b20a78d3af1eb65a02df3583f14cd077b218bc818baa5fb92ac96eff715b662a78aa86ea39b4265089f1f2737
-
C:\Users\Admin\AppData\Local\7358d4\6d45a7.batFilesize
61B
MD514adc766d85da95cd0990ed6bcc1524d
SHA1e3c8f83a8fbfea658c9139d3e670d609745fb848
SHA2560245cf83462c2d8f2453beb1094af0133caee498c1ab5147ee361cb8a449c1c4
SHA512b4172624d668b6c1e7519cca9cbb53645ecc8b9aa1e4908801fd81983b092ed7ad26e3e29047ff5dc4e7744ee9f08dc61765133fa5957926cb4518127f4b60b8
-
C:\Users\Admin\AppData\Local\7358d4\e5ae70.lnkFilesize
877B
MD5bdd15a1f4ac1b4fa52a730a1ac0609a2
SHA1449e50664aaa0ae674b60153c07de8f5f263c5dd
SHA256384fa99bd55e424d774c7a64bc9f55a9fe7f88ca32f33602dae358ece8618e20
SHA5129e7b9e0afda424397adf0266f6a9aefd739fbcadad388d7f0930dc51d72b8a5c6c067e7c470d769a04f9c72cb49de4f99f96f33ad8fb0d5f63d98d3a616f93d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94d0f9.lnkFilesize
987B
MD5215709b898a14b11cda4c2d0672d5c6c
SHA19d6ee947562b98ec3e07643ecfb1a0c0ea7736bb
SHA256ef1ee46a5e62b3750cc60c9419923acabe74a81bb5dadc1d42973867fd6bb7f1
SHA5121033feabcfee240d04d8d22374cb6b977da9f8308ebd6ffdb0dcd71663dbc6672547e4f596e727c94b4e75801580c0a84122eba8d32d521942f3296c21cbb16b
-
C:\Users\Admin\AppData\Roaming\e53183\8858ab.1879f4fFilesize
3KB
MD5b5aa9528d8be56b07f8ebce4397a17c1
SHA1d8bf4e7ceb8efefb863bc87dba88d27a8f7b18da
SHA256a472d6c7c65d434e1290fa8775b4cc5bcf92f8ac55c1eded8d36a47d8a34dcf8
SHA5120398a3cf6fa9320855aa8847f533e420822b2cbf442c652fb51cca34cbd29039242320c9769b351fd40557546a84be4a0f1131ebba8f79dd519b26f8a6898999
-
memory/1684-81-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-82-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-79-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-70-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-78-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-77-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-74-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-80-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-76-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-83-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-84-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-75-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-85-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-71-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-72-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/1684-73-0x00000000001D0000-0x000000000030E000-memory.dmpFilesize
1.2MB
-
memory/2012-14-0x0000000001D00000-0x0000000001DD4000-memory.dmpFilesize
848KB
-
memory/2012-3-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2012-15-0x0000000001D00000-0x0000000001DD4000-memory.dmpFilesize
848KB
-
memory/2012-10-0x0000000001D00000-0x0000000001DD4000-memory.dmpFilesize
848KB
-
memory/2012-11-0x0000000001D00000-0x0000000001DD4000-memory.dmpFilesize
848KB
-
memory/2012-12-0x0000000001D00000-0x0000000001DD4000-memory.dmpFilesize
848KB
-
memory/2012-13-0x0000000001D00000-0x0000000001DD4000-memory.dmpFilesize
848KB
-
memory/2012-9-0x0000000001D00000-0x0000000001DD4000-memory.dmpFilesize
848KB
-
memory/2012-8-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2012-7-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2652-29-0x0000000006220000-0x00000000062F4000-memory.dmpFilesize
848KB
-
memory/2652-24-0x0000000006220000-0x00000000062F4000-memory.dmpFilesize
848KB
-
memory/2836-38-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-51-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-48-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-47-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-46-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-45-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-44-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-43-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-42-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-41-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-40-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-52-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-57-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-58-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-69-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-59-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-60-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-61-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-62-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-50-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-37-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-39-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-36-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-35-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-34-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-49-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-33-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-31-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-32-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-30-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-28-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB
-
memory/2836-26-0x00000000001F0000-0x000000000032E000-memory.dmpFilesize
1.2MB