Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
31-05-2024 22:37
General
-
Target
88983562d1e3b618aa88fec58dbea6a3_JaffaCakes118.exe
-
Size
351KB
-
MD5
88983562d1e3b618aa88fec58dbea6a3
-
SHA1
e3c892a4bd17e6e1642b830e559083aff08b42c4
-
SHA256
0806150318462ff77736adcb5e95f2c2cb26945f5c6db42e765dbfedcffbd8b7
-
SHA512
e323c3a0009e555a9ddc0b14c411817af4c69f5cd50f3da49afb7e5de875618688d8620ddad0e4d92983f9a0a7cfddfd750e8e13939fa213fa144002b46d29fb
-
SSDEEP
6144:Y+Rvg216cHRoSrSxdLrJ0NPabD+P/SMXPVA84zKXq6eMfQrCleJVfoN9Nee:FRvg216ckxdL109ab6ngNzKXq6f6fo3H
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 56 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\88983562d1e3b618aa88fec58dbea6a3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88983562d1e3b618aa88fec58dbea6a3_JaffaCakes118.exe"1⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:g8uvRX3="25";vh07=new%20ActiveXObject("WScript.Shell");J9Sa2Hg="EV1WUqTA";WpC0C=vh07.RegRead("HKCU\\software\\TSqPTB1J9S\\V5SQvs5R");r3I4Pu="eSCnVgzX";eval(WpC0C);HuCgqm1l="qF6Csex";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:jzwir2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\26ada5\38e275.batFilesize
70B
MD520395ad8803ab38fb3d56d6c6f47193f
SHA14cadf4db78f2f90d7a9f5cf5fa5e6fce3928925f
SHA256cc27f622de9e7ca76f107e47f889d63f22c4c1e804b5b856ed55a1c96cbe6349
SHA51222df58e60cb6083fd04bb1208c6e9a26e54cec591f98022d6ac511cd3dda6df7d1dccda68fbf684ea81625a5b79c35c749a3146d0aed66a5c05f25596a23ab90
-
C:\Users\Admin\AppData\Local\26ada5\82963c.8aa1d52Filesize
4KB
MD59fb86fd71f15e3b4ec3e3211b56ade1c
SHA1abc4944a2f05a4eaad049aa7ab6e0fd2e9071c12
SHA25689b6695d55f9a6a2bf692bf8e805a921a0a5863a4e3710f9235e5a1feb9d21db
SHA512bdb1bddc1beda4adca32013a667bfba424084638e4d26d903b650debb661a96c62fbdb656f70b74727f0ac60f191a361c42cb6681195cc5e1e2ff2a9a7b318c2
-
C:\Users\Admin\AppData\Local\Temp\TarD3F9.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
memory/628-32-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-29-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-30-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-22-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-23-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-36-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-24-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-25-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-39-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-17-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-20-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-41-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-21-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-27-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-49-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-54-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-53-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-52-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-51-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-50-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-26-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-48-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-43-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-40-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-38-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-42-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-28-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-31-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-33-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-34-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-35-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/628-37-0x0000000000150000-0x000000000029A000-memory.dmpFilesize
1.3MB
-
memory/1668-68-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1668-63-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1668-69-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1668-62-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1668-61-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1668-66-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1668-72-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1668-65-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1668-71-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1668-67-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1668-70-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1668-64-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1688-4-0x0000000001D50000-0x0000000001E2C000-memory.dmpFilesize
880KB
-
memory/1688-3-0x0000000000400000-0x000000000045EF20-memory.dmpFilesize
379KB
-
memory/1688-7-0x0000000001D50000-0x0000000001E2C000-memory.dmpFilesize
880KB
-
memory/1688-2-0x0000000001D50000-0x0000000001E2C000-memory.dmpFilesize
880KB
-
memory/1688-6-0x0000000001D50000-0x0000000001E2C000-memory.dmpFilesize
880KB
-
memory/1688-1-0x0000000000400000-0x000000000045EF20-memory.dmpFilesize
379KB
-
memory/1688-14-0x0000000000456000-0x0000000000458000-memory.dmpFilesize
8KB
-
memory/1688-9-0x0000000001D50000-0x0000000001E2C000-memory.dmpFilesize
880KB
-
memory/1688-8-0x0000000001D50000-0x0000000001E2C000-memory.dmpFilesize
880KB
-
memory/1688-55-0x0000000001D50000-0x0000000001E2C000-memory.dmpFilesize
880KB
-
memory/1688-0-0x0000000000456000-0x0000000000458000-memory.dmpFilesize
8KB
-
memory/1688-5-0x0000000001D50000-0x0000000001E2C000-memory.dmpFilesize
880KB
-
memory/2604-16-0x0000000005E20000-0x0000000005EFC000-memory.dmpFilesize
880KB
-
memory/2604-19-0x0000000005E20000-0x0000000005EFC000-memory.dmpFilesize
880KB
-
memory/2604-15-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB