Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22-05-2024 16:06
General
-
Target
67d65974ec1a9a6942d51f5a385453fa_JaffaCakes118.exe
-
Size
359KB
-
MD5
67d65974ec1a9a6942d51f5a385453fa
-
SHA1
1d957ec9a36607a0e31f112b9d9162fff4c7080a
-
SHA256
dc5701a95de466171ff57df8229a9a6af5226fafb2f7c21a4642d5bb633952d9
-
SHA512
569bc3bd07c5fd7a7f13761e29f9ab3361af510f3d8e90ca87c045705c7b8f4d32adfce88f31e8695e444e540e26bc05f35e57e35c6554f35a101e5e3a19f000
-
SSDEEP
6144:1R+X6Y1VfFBfv9zZ7FVvTLrlp1ATv4QCkhRsDoO3Ay1Al:1AX6CVfrfpV7sv4QxcFQy1I
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 56 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\67d65974ec1a9a6942d51f5a385453fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\67d65974ec1a9a6942d51f5a385453fa_JaffaCakes118.exe"1⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:iBEd2MR="aD";HA2=new%20ActiveXObject("WScript.Shell");z2XXNGHL="25UGNg4D";nzq7Y=HA2.RegRead("HKCU\\software\\QRMleL4Atn\\DNpt66");um8jVR2I="aiSHZF";eval(nzq7Y);XUlE5an0="Q2I";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:vihqef2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\26ada5\38e275.batFilesize
67B
MD52b2b82c1e9be8ae45ddb17c0d93f2e7b
SHA19a4abdad981cf4f07c12a5ad2b84bd9f5539b220
SHA256adfcf3411ca1d8914917270283221918e145e4736a17fdce959d7c51970dcba1
SHA512dd93dbd40f9612806ea615ae6ac4ff43a43d00cee196caf137922149cd7e58ba39fcdd2a460f10516824b5f4a54352a1bc43ec2f66bee56f156f174a967d8420
-
C:\Users\Admin\AppData\Local\26ada5\82963c.8aa1d52Filesize
45KB
MD5ac1b85bf2f8c30906dca114ae7a4b69d
SHA1ca0ded1a78a2d7ab27ac0a39e2db6bde0dc7e118
SHA2569cf47e8f4f2fc7ac72279d4f504d7385c654534c9fb699220a6de04a4b8ae661
SHA5123bf1a240343d3f04d7963e4cb46f7ac7824deab3098ede4e303fed9b1e3911751c0ddd2e50ff1d3313d535e97815c8039d4ce8e86b22f0b94ff885e668136acd
-
memory/572-66-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/572-63-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/572-64-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/572-65-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/572-56-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/572-67-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/572-68-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/572-70-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/572-71-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/572-72-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/572-73-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/572-69-0x0000000000130000-0x000000000027A000-memory.dmpFilesize
1.3MB
-
memory/2392-33-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-25-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-20-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-47-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-53-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-52-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-51-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-50-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-49-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-48-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-41-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-40-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-38-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-37-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-36-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-34-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-32-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-22-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-31-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-30-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-29-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-28-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-26-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-27-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-24-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-23-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-42-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-21-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-17-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-39-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-35-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2392-16-0x0000000000270000-0x00000000003BA000-memory.dmpFilesize
1.3MB
-
memory/2700-15-0x0000000005B00000-0x0000000005BDC000-memory.dmpFilesize
880KB
-
memory/2700-14-0x0000000004840000-0x0000000004841000-memory.dmpFilesize
4KB
-
memory/2700-19-0x0000000005B00000-0x0000000005BDC000-memory.dmpFilesize
880KB
-
memory/2804-6-0x0000000001D30000-0x0000000001E0C000-memory.dmpFilesize
880KB
-
memory/2804-4-0x0000000001D30000-0x0000000001E0C000-memory.dmpFilesize
880KB
-
memory/2804-5-0x0000000001D30000-0x0000000001E0C000-memory.dmpFilesize
880KB
-
memory/2804-8-0x0000000001D30000-0x0000000001E0C000-memory.dmpFilesize
880KB
-
memory/2804-7-0x0000000001D30000-0x0000000001E0C000-memory.dmpFilesize
880KB
-
memory/2804-2-0x0000000001D30000-0x0000000001E0C000-memory.dmpFilesize
880KB
-
memory/2804-57-0x0000000001D30000-0x0000000001E0C000-memory.dmpFilesize
880KB
-
memory/2804-9-0x0000000001D30000-0x0000000001E0C000-memory.dmpFilesize
880KB
-
memory/2804-0-0x0000000000400000-0x0000000000460710-memory.dmpFilesize
385KB
-
memory/2804-3-0x0000000000400000-0x0000000000460710-memory.dmpFilesize
385KB
-
memory/2804-1-0x0000000000457000-0x0000000000459000-memory.dmpFilesize
8KB