Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
11-06-2024 14:27
General
-
Target
9e817e2a653d2dd0ff7067413c04508c_JaffaCakes118.exe
-
Size
264KB
-
MD5
9e817e2a653d2dd0ff7067413c04508c
-
SHA1
bf3a543152a5554d20f49c2ba2f11101895129f0
-
SHA256
b4916e08608cc89f83c2d1654b096f1c00d4b2b74da34ecdb39974452dd45594
-
SHA512
79a02436a75d1968e34a9225e3af77956b6f2d3af298ac789370719a1eb49c80b781b2f5503e698bc8813df9b3255177178d753e663dfbac3e04c272355cb25e
-
SSDEEP
6144:zN9obtouc5JGLycyqQgQl4TisvG5qwayQ7ShI223F/:59McvMycyqQxGusubaF76I3R
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 60 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e817e2a653d2dd0ff7067413c04508c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9e817e2a653d2dd0ff7067413c04508c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9e817e2a653d2dd0ff7067413c04508c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9e817e2a653d2dd0ff7067413c04508c_JaffaCakes118.exe"2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:n9B5gC="67g";PZ8=new%20ActiveXObject("WScript.Shell");N3Yr9V="fe0dEBJ";yj4cQ0=PZ8.RegRead("HKLM\\software\\Wow6432Node\\fePaH8s\\eR9E7yiMb");tpb9cS="L9Xo";eval(yj4cQ0);DBT5Yl5l="kGb05AD";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:obho2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\7358d4\2d9c5e.1879f4fFilesize
3KB
MD59d9373c17bfa8c47b7f315bb8e0f753a
SHA11e3f4bd9242fea9ed001e64aa10effdb1009013e
SHA2566f71c899ae5ac571896aeffcffb1e6729f2b391e994d7275e0ac4f552722afa1
SHA51284c43be13b03089f8e5febb97ae9e79bbddc76e52a287ac9080a4846bfc2969ed7d0b2a720566d2a8eea61cbe9807c925b1a704b465d9da88d50395f8242a077
-
C:\Users\Admin\AppData\Local\7358d4\6d45a7.batFilesize
61B
MD514adc766d85da95cd0990ed6bcc1524d
SHA1e3c8f83a8fbfea658c9139d3e670d609745fb848
SHA2560245cf83462c2d8f2453beb1094af0133caee498c1ab5147ee361cb8a449c1c4
SHA512b4172624d668b6c1e7519cca9cbb53645ecc8b9aa1e4908801fd81983b092ed7ad26e3e29047ff5dc4e7744ee9f08dc61765133fa5957926cb4518127f4b60b8
-
C:\Users\Admin\AppData\Local\7358d4\e5ae70.lnkFilesize
877B
MD5a57d673ecd2a379d71b91fa975a2e993
SHA1ff8b27049a77bcb08fcbbac5f81ed17744ea9c84
SHA2568f9e9d41640ae4e709ed40d2ae71dda44e98e70602485b9900c87432ef831c0a
SHA512d474dbf51b0076f8c2fc270c2d869e1d7272f6422a200ad068d715bb05b1f065809ffed176a161a9f1858606150082a8d41fb27e5096383c59347961cd72a828
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94d0f9.lnkFilesize
987B
MD5174c32c48177b31bb554da2526fb2def
SHA1422d5566562274383aa131919c53757bb9888440
SHA25661b02ea5237044adf7295e601bb747b2cd001c56c9a4bf0d1036a549b4856edd
SHA51263680c26700feecc170e5ef5b0bb2bb129594b9849d2435217f0ba8432ff3c6febed1bafe6da5833b2c5f68626bb1defe3eccc103662010fb0168686f13f0b9f
-
C:\Users\Admin\AppData\Roaming\e53183\8858ab.1879f4fFilesize
6KB
MD5ce420f1bf9001c7f2e4eb99b1671231b
SHA1fa2bf83dc89af09624e23e3ec8e6b9a363620745
SHA25667df8b2085d9a20e88c8c5a5c19941661e91bf9a6664d8408b817619aae5a1e7
SHA512428304cde9072ad922c2358070af8f36db64cd3405c6babeb2ac1927ad8ea2d2551a270e86c7f2d58952bd91caea2e20914afe9cac161bdaf9594c856ec98220
-
memory/572-75-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-74-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-84-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-72-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-73-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-70-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-76-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-77-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-79-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-80-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-81-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-82-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-83-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-85-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-78-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/572-71-0x0000000000240000-0x0000000000381000-memory.dmpFilesize
1.3MB
-
memory/1688-49-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-51-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-41-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-40-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-39-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-38-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-37-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-36-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-35-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-34-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-33-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-32-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-31-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-50-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-57-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-58-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-56-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-55-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-54-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-53-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-52-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-42-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-69-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-45-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-46-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-47-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-48-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-27-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-43-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-26-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-30-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/1688-29-0x0000000000130000-0x0000000000271000-memory.dmpFilesize
1.3MB
-
memory/2736-3-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2736-15-0x0000000001CA0000-0x0000000001D76000-memory.dmpFilesize
856KB
-
memory/2736-14-0x0000000001CA0000-0x0000000001D76000-memory.dmpFilesize
856KB
-
memory/2736-10-0x0000000001CA0000-0x0000000001D76000-memory.dmpFilesize
856KB
-
memory/2736-11-0x0000000001CA0000-0x0000000001D76000-memory.dmpFilesize
856KB
-
memory/2736-12-0x0000000001CA0000-0x0000000001D76000-memory.dmpFilesize
856KB
-
memory/2736-13-0x0000000001CA0000-0x0000000001D76000-memory.dmpFilesize
856KB
-
memory/2736-9-0x0000000001CA0000-0x0000000001D76000-memory.dmpFilesize
856KB
-
memory/2736-8-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2736-7-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2960-44-0x0000000006250000-0x0000000006326000-memory.dmpFilesize
856KB
-
memory/2960-24-0x0000000006250000-0x0000000006326000-memory.dmpFilesize
856KB