Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
13-05-2024 23:18
General
-
Target
3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
-
Size
577KB
-
MD5
3cfc15aa83002db936bea5571d8ac8d3
-
SHA1
561d453b108b0b5f51e3259a81c12d59228680e8
-
SHA256
6eae9c990dd5922fa274347955a186e7a3c596730163ccf48a95b0de8f590a00
-
SHA512
9e838181170bbd1a1e6ef0de8b1d0ff76be59090e01fc68c0d205ae364b79d5c068cf6a8253d0a4f33c55e1f06973519cfbc3480df9bbdabd89d5c6a8e90a0c0
-
SSDEEP
12288:LeohY7kszv6ynzRtxvlX3UHZEylVVGYMvtTvxkgoz:LYTvnbcmyLV34rP8
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 55 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Users\Admin\AppData\Local\Temp\3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe"2⤵
- Loads dropped DLL
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:DAJep5M="ZmuX";J04j=new%20ActiveXObject("WScript.Shell");VCpXniq4t="r0SEPVle0";fyV7H=J04j.RegRead("HKLM\\software\\Wow6432Node\\TcYW8GUh\\NCCs6wKT");yKKA9Bqu="wtBp";eval(fyV7H);exCko0Z7="w7AnP87yi";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:nypamj2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\529d1c\1bcd8a.lnkFilesize
881B
MD5e6da94f10279e79e6044846dd1345e2a
SHA1492936cfb30f811e58e790100fe2569f1df871af
SHA25669520bfa4b3dd730c671ff777e6eefd3e7c5792dc7051a4106337ec322e0b568
SHA512a52dc39ae9a183450bb6078cb17642fcbe82aa70516c35c1ced24b7e354f82c85b8d91c1a56eb5827dcfc38162dc28905e47953b9e2d84c477150073520d2e19
-
C:\Users\Admin\AppData\Local\529d1c\4bd7f2.batFilesize
61B
MD57f145f9c460ee7bb55a3e7ad72a65f86
SHA139a73f2119c72ae27a166fff9ceb13859f6ac21b
SHA25616e3704ce7a5f142fe817cd42cf9fd214341caf20a284c439457feb84515ddad
SHA5121bfbf2931d904ae08d6552267b918e8f7e6cce6d142f0c950c74e2e601dc3cf36428fcddf67ad3cae1acb565edf4871c0c3c165be88c34d3c81b68b8d7c1a75f
-
C:\Users\Admin\AppData\Local\529d1c\7fd902.cbe78f1Filesize
2KB
MD52a26106173dbcbec4f36123178366a58
SHA1004d7b7df5172ee0ede52d729078be0e13a2ec1d
SHA256c8537910d354c098a69d3178294c95b4ff4601ba0c16de535efdf0c320d49fac
SHA5120ad245aeda232fc825c34c546d97a2328b981a243b4f50fc983da861cf21ba2ca779866f33728a1c0a1a569a2b613cef53515fb7e7ea09014e958e85b38dff4b
-
C:\Users\Admin\AppData\Local\Temp\432fggqdd.txtFilesize
4B
MD59a11883317fde3aef2e2432a58c86779
SHA14e5ea1100d2cbc3e7efb7833cbdf52a8fe43d424
SHA2569087bff4ee5a4c50553a8a9096963d8d75dea9601fee74de289bbf21bcc25608
SHA512a1083c7e5561186d043d54e8adfb4114362921d53c9f46854e801d40a0795361391a9addf845e58e0d51736a4db52b5e6d5a74b4d20143b94253a0ff10f29feb
-
C:\Users\Admin\AppData\Local\Temp\4fggqdd.txtFilesize
84B
MD5737f1ca084a1b4c1e174688875f16fea
SHA19b7d9624918e1d23a90e80db2faf72baaf83842e
SHA2569f0a4c16dbc7ce1059294493bacd17dd7f46d43dcc7e1d048ab897b30ab7e767
SHA51263b234ac96613c1a0c761d67163667d2f5b33f52d1dec6fcc378c3e0e0a3776c45d95e42e9b4a5e3fefe8effa9a6bd3c7db1dd868acf8bb77678a99d05532d0e
-
C:\Users\Admin\AppData\Roaming\4f4be6\d3bc4d.cbe78f1Filesize
34KB
MD54f339de891617ca7fd5f343acb3047b0
SHA1aba161156bee65c076565dfe64e7add641f7fc03
SHA25694bf0de0a936426537fe2085cce3a2b2c9f29fbe63b6d80b3e62408d1a92b2a6
SHA512a81b37093cc0bb0fc27a38bd22651ca1d0be9dcbc7a62cfaaf53693d631a31cd96681a04ad35bf0c410d85c120a6b04fdfdb0c0de195fdff181ba6acfbd27a00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54b061.lnkFilesize
991B
MD5ec2f040d72658371b46614544de478bc
SHA130f723e8c1e01b005617b528f1f3de14c8b44dd2
SHA256330a01b3569961ab7be01761f93818b4ed69fb0f70a343bcaff6a779110f86bf
SHA5120b04af2755fbfdb764377842c8d6b3aea3f8acec8c6b4d3f4008d2baae0445725cf759f2dd7d722e78cff4db2b19ce2a9afa0b33f5ee7cbfabbf65ec8e08238e
-
\Users\Admin\AppData\Local\Temp\tmp254D.tmpFilesize
66KB
MD5aaa698721f488b181bc0f0afc5da126a
SHA176536a73f16ffd643ea24f8725cebfff9d49852f
SHA256e71ba7ce01d10e60a4feac7fc5e04f34756ba621c7d88583d0f96bd3b2655647
SHA51267d8b05678fbdc1678515c341fa8c1e26f3d1b15f2cc390bb9b1a26589a346fd57697dd3366e72d46ab265570929f1be89b8aec81112a2a98194c5886c89261d
-
memory/1768-60-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-65-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-71-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-56-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-57-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-58-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-54-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-53-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-68-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-59-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-83-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-61-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-62-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-63-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-64-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-55-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-67-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-69-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-70-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-72-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-73-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-80-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-50-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-48-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-52-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-66-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-74-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-85-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1768-84-0x0000000000180000-0x00000000002BE000-memory.dmpFilesize
1.2MB
-
memory/1820-90-0x0000000000210000-0x000000000034E000-memory.dmpFilesize
1.2MB
-
memory/1820-88-0x0000000000210000-0x000000000034E000-memory.dmpFilesize
1.2MB
-
memory/1820-93-0x0000000000210000-0x000000000034E000-memory.dmpFilesize
1.2MB
-
memory/1820-87-0x0000000000210000-0x000000000034E000-memory.dmpFilesize
1.2MB
-
memory/1820-92-0x0000000000210000-0x000000000034E000-memory.dmpFilesize
1.2MB
-
memory/1820-91-0x0000000000210000-0x000000000034E000-memory.dmpFilesize
1.2MB
-
memory/1820-89-0x0000000000210000-0x000000000034E000-memory.dmpFilesize
1.2MB
-
memory/1820-86-0x0000000000210000-0x000000000034E000-memory.dmpFilesize
1.2MB
-
memory/2128-34-0x0000000074940000-0x0000000074EEB000-memory.dmpFilesize
5.7MB
-
memory/2128-0-0x0000000074941000-0x0000000074942000-memory.dmpFilesize
4KB
-
memory/2128-2-0x0000000074940000-0x0000000074EEB000-memory.dmpFilesize
5.7MB
-
memory/2128-1-0x0000000074940000-0x0000000074EEB000-memory.dmpFilesize
5.7MB
-
memory/2224-19-0x0000000001D50000-0x0000000001D51000-memory.dmpFilesize
4KB
-
memory/2416-46-0x00000000061A0000-0x0000000006274000-memory.dmpFilesize
848KB
-
memory/2416-51-0x00000000061A0000-0x0000000006274000-memory.dmpFilesize
848KB
-
memory/2756-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2756-31-0x00000000009E0000-0x0000000000AB4000-memory.dmpFilesize
848KB
-
memory/2756-12-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2756-9-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2756-8-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2756-7-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2756-5-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2756-27-0x00000000009E0000-0x0000000000AB4000-memory.dmpFilesize
848KB
-
memory/2756-28-0x00000000009E0000-0x0000000000AB4000-memory.dmpFilesize
848KB
-
memory/2756-29-0x00000000009E0000-0x0000000000AB4000-memory.dmpFilesize
848KB
-
memory/2756-30-0x0000000072140000-0x000000007216E000-memory.dmpFilesize
184KB
-
memory/2756-16-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2756-33-0x00000000009E0000-0x0000000000AB4000-memory.dmpFilesize
848KB
-
memory/2756-36-0x00000000009E0000-0x0000000000AB4000-memory.dmpFilesize
848KB
-
memory/2756-35-0x00000000009E0000-0x0000000000AB4000-memory.dmpFilesize
848KB
-
memory/2756-3-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2756-128-0x0000000072140000-0x000000007216E000-memory.dmpFilesize
184KB
-
memory/2756-127-0x00000000009E0000-0x0000000000AB4000-memory.dmpFilesize
848KB
-
memory/2756-39-0x0000000072140000-0x000000007216E000-memory.dmpFilesize
184KB
-
memory/2756-32-0x00000000009E0000-0x0000000000AB4000-memory.dmpFilesize
848KB
-
memory/2756-17-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2756-41-0x00000000009E0000-0x0000000000AB4000-memory.dmpFilesize
848KB
-
memory/2756-42-0x0000000072140000-0x000000007216E000-memory.dmpFilesize
184KB