Resubmissions
03-06-2024 01:47
240603-b7t7dsgc35 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
03-06-2024 01:47
General
-
Target
902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe
-
Size
246KB
-
MD5
902985d25a3a47bafe3e30d6feada3d7
-
SHA1
c075bba53188ec6d11f1ca3b1f8cbae4893f6801
-
SHA256
713bf00309fc31dcae6d0bf9fa75ad659299701a2ca9b5dd8f6b6f048fa057e4
-
SHA512
60a57930249b5b89650676c0d8950c8cad43a487ff3aee8ba01e0e0d5856fe46865b324525e8e5c5faf627be8a057d02df14a25420558b1bc2f28f3440bbfa87
-
SSDEEP
6144:H3N7ORvl3p1TT+UogjT+P8pAhmOT8HbWYStr15qCePoofg2pum:XB23p4gXtpAhaHitr15Xm/Npn
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 49 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\902985d25a3a47bafe3e30d6feada3d7_JaffaCakes118.exe2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:r6sYly="Hwq2qwjH";G0G=new%20ActiveXObject("WScript.Shell");rL7HU="ga";amc51K=G0G.RegRead("HKCU\\software\\CMtNkne\\RzUHAR8");CWy6sGL="R";eval(amc51K);kfKkl6Kg4="CuOB6";1⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:krhso2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\2f478\6bc9f.lnkFilesize
865B
MD5d9c623df40b10b01b1e939309505ce5d
SHA125b86720da379ac06fd74db164c3a943bea190ef
SHA2564a5a7cac67863116e29ee6fbd4c00be772fba0a823baad544442a2139d433958
SHA512248fa67471e1e83688cd9218f695046d04afe5a66d98f344b689eeae8d0fa0f800a212ced7dd740c1155643982af3ee0828722a2d5a806e113ec91266f530b45
-
C:\Users\Admin\AppData\Local\2f478\cf743.6cddf1Filesize
34KB
MD5ee22962dcf796301aa65031524a21391
SHA14c0bfc53ea83dd87b9e489ce11e1e7e25041b970
SHA256938ef25e153105a45adc7a4f02ebe26cb08b2e93453bc4efb84c6c61ac152c6e
SHA5123960628a55c03dde86f92fe18338b5ba0f263aed01bdf39841f91b6f67fa0cf6ac35ca1dfecc9320b804784901268c90da52bd0d10f6eb3682e577217ab3b053
-
C:\Users\Admin\AppData\Local\2f478\ea3db.batFilesize
58B
MD5ef6c3197a29b082dd3ab71e7b82d503f
SHA19125051b2f67bc8ba6189b820772367fe4d1c5f1
SHA2560cbbd3fa0ffeb05e6068cca3370e3a22daf4c80e311da851191ef5544e5d1233
SHA512c21a413a12996fbe26718300c208d40f49e15ace90f707a3aea1cb469c84aad7ee40323b61dfb0dec7d7c361626eebcc7932c7c0c1118dbb3441163b8258aec7
-
C:\Users\Admin\AppData\Roaming\06809\0da6d.6cddf1Filesize
13KB
MD5ebe66d1940c45238ce1f7804f6f9f923
SHA11fdef251404c2fef819ea142d4bde65579678cc4
SHA256cb3500c06221793796ae0c6746226d72100b6480e782074413317c18f51c67d4
SHA5128183cdf880e31be8ef2696804bfbc58bba225dc6a133af4e714300eed512059a388d02f838fb7a70b158a81316b8ff41be1ec3da0b0d38515c7e41f118524760
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\601f0.lnkFilesize
981B
MD52ce1c87972dcaa60b2dc16104f928cf9
SHA1ec676601fe9be6133f00542699bd4757d1f1a5af
SHA2564dc61dcead8c0846be3f7c585b2cbfaa7279834578046ed7e1bd1a27099820fc
SHA512606b621aae659a3c158b13a8fecc6c66d7f2caee8fe712b8d1301641a90802506a05cb2d38af6529506a338b9632024d2013162829e4f23de873cc0dafa814a9
-
memory/1536-27-0x00000000062F0000-0x00000000063C8000-memory.dmpFilesize
864KB
-
memory/1536-31-0x00000000062F0000-0x00000000063C8000-memory.dmpFilesize
864KB
-
memory/1604-84-0x0000000000270000-0x00000000003B4000-memory.dmpFilesize
1.3MB
-
memory/2252-2-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/2252-16-0x0000000000440000-0x0000000000518000-memory.dmpFilesize
864KB
-
memory/2252-17-0x0000000000440000-0x0000000000518000-memory.dmpFilesize
864KB
-
memory/2252-14-0x0000000000440000-0x0000000000518000-memory.dmpFilesize
864KB
-
memory/2252-15-0x0000000000440000-0x0000000000518000-memory.dmpFilesize
864KB
-
memory/2252-19-0x0000000000440000-0x0000000000518000-memory.dmpFilesize
864KB
-
memory/2252-20-0x0000000000440000-0x0000000000518000-memory.dmpFilesize
864KB
-
memory/2252-18-0x0000000000440000-0x0000000000518000-memory.dmpFilesize
864KB
-
memory/2252-13-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/2252-0-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/2252-4-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/2252-6-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/2252-10-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/2252-12-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/2252-8-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/2252-77-0x0000000000440000-0x0000000000518000-memory.dmpFilesize
864KB
-
memory/2696-45-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-62-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-47-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-36-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-41-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-44-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-52-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-51-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-71-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-50-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-49-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-48-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-70-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-64-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-63-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-46-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-60-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-59-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-53-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-43-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-54-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-40-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-42-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-39-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-32-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-38-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-33-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-35-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-37-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-34-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-30-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB
-
memory/2696-28-0x00000000000D0000-0x0000000000214000-memory.dmpFilesize
1.3MB