Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16-05-2024 05:42
General
-
Target
49a18b85968649d12b80ad3addadbf63_JaffaCakes118.exe
-
Size
355KB
-
MD5
49a18b85968649d12b80ad3addadbf63
-
SHA1
b7cf30cfa839ebf74f299aeaf1d256605c02c4e7
-
SHA256
1c886653f24c734aaa232332ef9f2f55fbcb6314cfe75972f38a7a6037610366
-
SHA512
10b255e8bd4361a910c77073ee7d2a2f9ac5c3c8f2e057bdac87d5a2118ebd3e9c736d35a757163eb50daadc5d67546d47ba462668b9c6bc64bda14cdf09a4bb
-
SSDEEP
6144:rl8krvwf9ocqugSHDV7wv5jmkXszdwoNC/NsHjGjDpSqLkl/Pi:rqkrw9BWSHDV7whjPspwoNNHjGvp9L7
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 56 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\49a18b85968649d12b80ad3addadbf63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\49a18b85968649d12b80ad3addadbf63_JaffaCakes118.exe"1⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:EK9kCdz="e6P5SbjZ";h2c=new%20ActiveXObject("WScript.Shell");EDqqa8="u0PLlx";JhiZ26=h2c.RegRead("HKCU\\software\\PqDLGTgKU\\VHi3K4dBZ");vAJ4pat9="Pjvv";eval(JhiZ26);ZxqN7Nk="uxpb";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:yipvjs2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\26ada5\38e275.batFilesize
69B
MD5079d67095185dd90232481e93bf6d285
SHA18d7e8dcac18b7ce6ae1bb2f02405ee128bafc30d
SHA256294ff8d3fb576e63e2c5e952e6fdeb2dd662d92c356752cb75e50438543d724e
SHA512fa369a10f07211be94e8c025214fe4a419a3338b21447b8ba68c49ba156e2d6f472623b9e53776eedb4f35b73f549fd707989d26aad7d4631f2ceff1b6ec6007
-
C:\Users\Admin\AppData\Local\26ada5\82963c.8aa1d52Filesize
27KB
MD5919341d99690e3c52c28c344d00b3eb4
SHA1ea09bccf3c18b934ce57a384baaa5dc0d9883ecf
SHA2566d95f084cc7fd35a52ec6c8c0c833ddcc2d7eb3ef331e646d76056f4940932b5
SHA51204cc5a179a1a3ec48c71f83bfd59a78430304f6e1b151d926544c7276d8115126b4944fde1d4e376c9e20b5f2e4c72a57dff18f5c6db57933c7a515fc0037697
-
memory/612-7-0x0000000000460000-0x000000000053C000-memory.dmpFilesize
880KB
-
memory/612-55-0x0000000000460000-0x000000000053C000-memory.dmpFilesize
880KB
-
memory/612-0-0x0000000000455000-0x0000000000457000-memory.dmpFilesize
8KB
-
memory/612-6-0x0000000000460000-0x000000000053C000-memory.dmpFilesize
880KB
-
memory/612-4-0x0000000000460000-0x000000000053C000-memory.dmpFilesize
880KB
-
memory/612-1-0x0000000000400000-0x000000000045F8D0-memory.dmpFilesize
382KB
-
memory/612-8-0x0000000000460000-0x000000000053C000-memory.dmpFilesize
880KB
-
memory/612-9-0x0000000000460000-0x000000000053C000-memory.dmpFilesize
880KB
-
memory/612-14-0x0000000000455000-0x0000000000457000-memory.dmpFilesize
8KB
-
memory/612-2-0x0000000000460000-0x000000000053C000-memory.dmpFilesize
880KB
-
memory/612-5-0x0000000000460000-0x000000000053C000-memory.dmpFilesize
880KB
-
memory/612-3-0x0000000000400000-0x000000000045F8D0-memory.dmpFilesize
382KB
-
memory/2220-64-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2220-67-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2220-69-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2220-66-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2220-63-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2220-72-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2220-70-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2220-62-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2220-65-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2220-61-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2220-71-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2220-68-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2504-15-0x0000000002AB0000-0x0000000002AB1000-memory.dmpFilesize
4KB
-
memory/2504-16-0x0000000005CF0000-0x0000000005DCC000-memory.dmpFilesize
880KB
-
memory/2504-19-0x0000000005CF0000-0x0000000005DCC000-memory.dmpFilesize
880KB
-
memory/2608-27-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-47-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-26-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-24-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-40-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-42-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-49-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-48-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-46-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-45-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-30-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-44-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-43-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-41-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-54-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-28-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-23-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-21-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-38-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-31-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-37-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-32-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-39-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-33-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-34-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-35-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-36-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-22-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-29-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-25-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-20-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2608-17-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB