Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
16-05-2024 14:49
General
-
Target
4ba040cd37c2377080ac0ab46c0e0f29_JaffaCakes118.exe
-
Size
351KB
-
MD5
4ba040cd37c2377080ac0ab46c0e0f29
-
SHA1
7e82e62d98df025b1ef7ddd9fbadeaa6d70394d9
-
SHA256
9d6deb673f680360e6e174d5e908c01a72de5a25d3d57abeba1a3fe7b3bd5897
-
SHA512
bf282fd2e7c733b70dfd8f52e5d8aa006bf738eea1add3f7b07a0b0729e8c27b8076fe02bf9b6f15dc73c1fd7330762d87e5b5f94f3cc60289333abbb009e181
-
SSDEEP
6144:dOH7owoxfZMSHMdEyXD1DkoMBulp/vmhGAgcPVdHel3J:dOH7poBxeZD7MBuLmGA565
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 57 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ba040cd37c2377080ac0ab46c0e0f29_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4ba040cd37c2377080ac0ab46c0e0f29_JaffaCakes118.exe"1⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:l9W4RD="feomM8L";l69N=new%20ActiveXObject("WScript.Shell");kpO7Jn="mc7";xBSl9=l69N.RegRead("HKCU\\software\\oPdLUZJ\\qIG888who");VYoHK1A="LJvm89";eval(xBSl9);s5pFHgY="CY8";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:rebzgqr2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\d866a3c3\1ac3c0ce.5ad3c886bFilesize
28KB
MD508b3d2f3a30ddf91dd54e367efc3f836
SHA13c322909dd2a2ab2917beca53d499deaaf9f8e32
SHA25631a7ced501ca0214704f336e8133c47425f97a82e6ccab18f1265e6b56b84a15
SHA512b3a26033f050811111b0d849c579cc2feb20095c8cc53edb850faa45476330fa9b8ae90719f9c55cca0df7e9177b1a08869fa03c1d0a68556ea38d455791ef05
-
C:\Users\Admin\AppData\Local\d866a3c3\2abf568c.batFilesize
74B
MD5af10615d2209989eae7877fc91934f82
SHA1f7cd75e1452a8a7e3086c9fdffb87764000c831f
SHA256259a1588d2165bbf8cdc9c309583a5387d13aeb78caab780c585f9a3b6d1aea6
SHA51216bee5c48e3f66bb21299671b01c183b06f082bd4ba679adf4b418d80b5a59871619053dfcd9a23a850a51dbbf95a118ba780fb5ea2d2903142d300d77b636ee
-
memory/1732-72-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1732-65-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1732-67-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1732-70-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1732-61-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1732-71-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1732-69-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1732-68-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1732-66-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1732-63-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1732-73-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1732-64-0x0000000000110000-0x000000000025A000-memory.dmpFilesize
1.3MB
-
memory/1816-57-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-28-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-40-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-46-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-41-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-39-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-38-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-37-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-36-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-35-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-34-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-33-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-32-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-31-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-54-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-58-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-15-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-56-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-55-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-53-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-62-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-30-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-29-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-25-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-27-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-26-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-24-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-22-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-21-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-20-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-19-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-16-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/1816-23-0x0000000000300000-0x000000000044A000-memory.dmpFilesize
1.3MB
-
memory/2632-14-0x00000000061A0000-0x000000000627C000-memory.dmpFilesize
880KB
-
memory/2632-18-0x00000000061A0000-0x000000000627C000-memory.dmpFilesize
880KB
-
memory/2632-13-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/3024-3-0x0000000000400000-0x000000000045DD20-memory.dmpFilesize
375KB
-
memory/3024-0-0x0000000000400000-0x000000000045DD20-memory.dmpFilesize
375KB
-
memory/3024-9-0x0000000001E00000-0x0000000001EDC000-memory.dmpFilesize
880KB
-
memory/3024-47-0x0000000001E00000-0x0000000001EDC000-memory.dmpFilesize
880KB
-
memory/3024-4-0x0000000001E00000-0x0000000001EDC000-memory.dmpFilesize
880KB
-
memory/3024-7-0x0000000001E00000-0x0000000001EDC000-memory.dmpFilesize
880KB
-
memory/3024-8-0x0000000001E00000-0x0000000001EDC000-memory.dmpFilesize
880KB
-
memory/3024-5-0x0000000001E00000-0x0000000001EDC000-memory.dmpFilesize
880KB
-
memory/3024-6-0x0000000001E00000-0x0000000001EDC000-memory.dmpFilesize
880KB
-
memory/3024-2-0x0000000001E00000-0x0000000001EDC000-memory.dmpFilesize
880KB
-
memory/3024-1-0x0000000000455000-0x0000000000457000-memory.dmpFilesize
8KB