Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
19-05-2024 04:15
General
-
Target
587fdae7d9f4e1f8922cf5a27ca4d17b_JaffaCakes118.exe
-
Size
327KB
-
MD5
587fdae7d9f4e1f8922cf5a27ca4d17b
-
SHA1
8fb1f7044311368ebb0a899187b2ddc09938bb74
-
SHA256
ce857fd65af819ca38c66241dfcda60f9a965811b309290270e8c0b12435bb43
-
SHA512
f8b6f5b98a56b3abaf8e12dd3c3d3fb66aceb78c4511d353301528003602ffb85a5a52a22d7385ed7f7dfee6fde973538920fc024efa538f6ef3bf0feceb00e4
-
SSDEEP
6144:8Cpd5ll1p5kJYPR1tUyv8v1//C66U/YQgGOFjaUZaWMA6bUmF5HEJc+ynqSQpdf+:Dbl/5kJYPtUyEvl/6QgGh2mF5koqxLf+
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 57 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\587fdae7d9f4e1f8922cf5a27ca4d17b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\587fdae7d9f4e1f8922cf5a27ca4d17b_JaffaCakes118.exe"1⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:hAIAt4="3FU4wt";Yd5=new%20ActiveXObject("WScript.Shell");d3jgl8p="4ZLR3Ko";kM5h8y=Yd5.RegRead("HKCU\\software\\blBJcS6\\NmCMsckHT");KEa5l="OLm";eval(kM5h8y);ic1OQTQ="00bBG7k";1⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:wfgae2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\e958ddd\2f636da.82dd174bFilesize
37KB
MD5bc1e27f9bfb5fbda0cd8c07d69c64954
SHA1366a380361d65384d797c216c1aebfc54a186bb5
SHA25619876b16c01651340881ddc87c5488e02b973d527e89ee35ad08a3a04d8f1f10
SHA512dcf5b3dcec2a386d1be5c9adb6261ec4bb5b8fbaec0b5a2c1efaa993e5a80cbe923674e46462732d0cfcad6603f79a8e37663d5ef3910af57ae8336d3775878c
-
C:\Users\Admin\AppData\Local\e958ddd\7d7b99e.batFilesize
72B
MD5e90a4068555bd159cde22a80ed4401b2
SHA1a5aafbee7fee9e914415068bcc3fb8d9896f6c51
SHA256d1fa2567360515a1f6f739843a6854ff92241d21cd07ca252e62542fe8bfa946
SHA51240d504573f82b863a62a77da5db56b7d7388550e7126d24f1478fbbd8bfc1b3dc66408137085845461b20dab410aab6f88dae7de55f92256c46b98501cd4e02f
-
memory/1848-4-0x0000000001DF0000-0x0000000001ECC000-memory.dmpFilesize
880KB
-
memory/1848-7-0x0000000001DF0000-0x0000000001ECC000-memory.dmpFilesize
880KB
-
memory/1848-6-0x0000000000400000-0x000000000045A5E8-memory.dmpFilesize
361KB
-
memory/1848-5-0x0000000001DF0000-0x0000000001ECC000-memory.dmpFilesize
880KB
-
memory/1848-1-0x0000000000452000-0x0000000000454000-memory.dmpFilesize
8KB
-
memory/1848-3-0x0000000001DF0000-0x0000000001ECC000-memory.dmpFilesize
880KB
-
memory/1848-8-0x0000000001DF0000-0x0000000001ECC000-memory.dmpFilesize
880KB
-
memory/1848-9-0x0000000001DF0000-0x0000000001ECC000-memory.dmpFilesize
880KB
-
memory/1848-2-0x0000000001DF0000-0x0000000001ECC000-memory.dmpFilesize
880KB
-
memory/1848-0-0x0000000000400000-0x000000000045A5E8-memory.dmpFilesize
361KB
-
memory/1848-55-0x0000000001DF0000-0x0000000001ECC000-memory.dmpFilesize
880KB
-
memory/1904-63-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-65-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-66-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-64-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-67-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-68-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-69-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-70-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-71-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-72-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-73-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-62-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/1904-61-0x00000000002C0000-0x000000000040A000-memory.dmpFilesize
1.3MB
-
memory/2508-26-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-37-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-35-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-51-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-50-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-49-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-48-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-33-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-32-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-31-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-29-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-30-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-28-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-27-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-25-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-24-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-36-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-52-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-38-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-47-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-39-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-42-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-41-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-40-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-34-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-19-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-20-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-18-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-15-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-23-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-22-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2508-21-0x0000000000280000-0x00000000003CA000-memory.dmpFilesize
1.3MB
-
memory/2912-17-0x00000000060D0000-0x00000000061AC000-memory.dmpFilesize
880KB
-
memory/2912-14-0x00000000060D0000-0x00000000061AC000-memory.dmpFilesize
880KB
-
memory/2912-13-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB