Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
31-05-2024 22:37
General
-
Target
88983562d1e3b618aa88fec58dbea6a3_JaffaCakes118.exe
-
Size
351KB
-
MD5
88983562d1e3b618aa88fec58dbea6a3
-
SHA1
e3c892a4bd17e6e1642b830e559083aff08b42c4
-
SHA256
0806150318462ff77736adcb5e95f2c2cb26945f5c6db42e765dbfedcffbd8b7
-
SHA512
e323c3a0009e555a9ddc0b14c411817af4c69f5cd50f3da49afb7e5de875618688d8620ddad0e4d92983f9a0a7cfddfd750e8e13939fa213fa144002b46d29fb
-
SSDEEP
6144:Y+Rvg216cHRoSrSxdLrJ0NPabD+P/SMXPVA84zKXq6eMfQrCleJVfoN9Nee:FRvg216ckxdL109ab6ngNzKXq6f6fo3H
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 56 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\88983562d1e3b618aa88fec58dbea6a3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88983562d1e3b618aa88fec58dbea6a3_JaffaCakes118.exe"1⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:g8uvRX3="25";vh07=new%20ActiveXObject("WScript.Shell");J9Sa2Hg="EV1WUqTA";WpC0C=vh07.RegRead("HKCU\\software\\TSqPTB1J9S\\V5SQvs5R");r3I4Pu="eSCnVgzX";eval(WpC0C);HuCgqm1l="qF6Csex";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:jzwir2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
70B
MD520395ad8803ab38fb3d56d6c6f47193f
SHA14cadf4db78f2f90d7a9f5cf5fa5e6fce3928925f
SHA256cc27f622de9e7ca76f107e47f889d63f22c4c1e804b5b856ed55a1c96cbe6349
SHA51222df58e60cb6083fd04bb1208c6e9a26e54cec591f98022d6ac511cd3dda6df7d1dccda68fbf684ea81625a5b79c35c749a3146d0aed66a5c05f25596a23ab90
-
Filesize
4KB
MD59fb86fd71f15e3b4ec3e3211b56ade1c
SHA1abc4944a2f05a4eaad049aa7ab6e0fd2e9071c12
SHA25689b6695d55f9a6a2bf692bf8e805a921a0a5863a4e3710f9235e5a1feb9d21db
SHA512bdb1bddc1beda4adca32013a667bfba424084638e4d26d903b650debb661a96c62fbdb656f70b74727f0ac60f191a361c42cb6681195cc5e1e2ff2a9a7b318c2
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
880KB
-
Filesize
379KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
379KB
-
Filesize
8KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
8KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
4KB