Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
28-05-2024 15:24
General
-
Target
7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe
-
Size
297KB
-
MD5
7d72c26893a94c166ed8f490b211dd4c
-
SHA1
ee880b7473ff6583c11ec92766bf0ae6f73bf692
-
SHA256
b484d4b1ac36fcbb4150ef16848d69841a2498dba4101fe1549d8e1de0a17261
-
SHA512
84c784cfd36b5711f6320d3a2975cc3b63b2439c995eb8021bfbffccd4808aed964c8d6bd551f58257f2fcfe5b74d04e649c14e1121df5d4080161457ad9e844
-
SSDEEP
6144:xTx9Z4h3oSNcDW1m7Y3qPr5Qh0auUMnbBD9W:TIr+aiVJagBDg
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 58 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe"2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:k6DCU="nXBpN5w";sb28=new%20ActiveXObject("WScript.Shell");wk4K2qT="fbQMI3jx";q5AFJ=sb28.RegRead("HKLM\\software\\Wow6432Node\\BBRZdKi\\qIaPDl");EY9cX1HE="eyC";eval(q5AFJ);Zw2Kom5W="o";1⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:ramtbn2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5cbc555d14e9213767440945dd51086a0
SHA1155b14f50c258bedcbeb17614ffbdba2dcbcc6c9
SHA256f1edfee3805a4fa5a4643e27f0bf4f579e0f325f4d5eab9a0ac37f24c6be9267
SHA51222620ac1ea284c92d3de76e68c1eaca854915b18434a1b2bb0262fe61c0431220475af9d92199b2b15799ae09bc2170dccf13f26128ce10bd05d208a1245e73e
-
Filesize
61B
MD514adc766d85da95cd0990ed6bcc1524d
SHA1e3c8f83a8fbfea658c9139d3e670d609745fb848
SHA2560245cf83462c2d8f2453beb1094af0133caee498c1ab5147ee361cb8a449c1c4
SHA512b4172624d668b6c1e7519cca9cbb53645ecc8b9aa1e4908801fd81983b092ed7ad26e3e29047ff5dc4e7744ee9f08dc61765133fa5957926cb4518127f4b60b8
-
Filesize
877B
MD57e7925dc5fb73c2cc7e6be937769a524
SHA12fc32ca2d072df177ce2239f6a8b55fa3f6046f2
SHA25659b2af5649fbaa3827f1095521a6ba8a88c456a89af42298fbe1f6e226ced75e
SHA51223a226f45efb625109f69ce8a780fd459dcd5b8f1a29f6113071097822f586ad321109f7c25a30c00ba2f9dbf06bd747ae2986e769b23e390c3963a690eebca3
-
Filesize
987B
MD5b256a7d842b284fe9567a9522359cfe0
SHA118da1a55a210290c2ee861443357e732b92be3e0
SHA256b9b4a24ded6a58c25fc546de06eb82625d626f4e9747d196dcf4ce6178bc154c
SHA512835fe86677c3737d24a5e8e97a6138cc3b883f045ee2fb071e911421b7de9fb1256d3fb3d79d8cbb5b79aaa54c7469b319ba7032678687a114ebf99c07926baa
-
Filesize
17KB
MD5c7475fc5708457d1d87855a369e5ee4e
SHA1432d73767adbcc9fd3eb9c7dd44c21126f46bd61
SHA2569bcec62ed16ea01fd5a8edb645533e85a063a3289fcd18f3d18b1f84b5da55f7
SHA5125539fee94107870b2f71ae782ff41b1e46dc0ce5a079e123b0dbcbd8dae4aeac870eb89b8c07b946d19ca46e0791b707632c0679c5fcdcf9c6955e6a45ad4c1e
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
16KB
-
Filesize
332KB
-
Filesize
16KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
232KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB