Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
12-06-2024 10:12
General
-
Target
a0475b19ba5a17fd8e96105893224ebe_JaffaCakes118.exe
-
Size
286KB
-
MD5
a0475b19ba5a17fd8e96105893224ebe
-
SHA1
9459d28f52a031d2ecbc835bbc6749b6f73fed0a
-
SHA256
eae239033282bd915f0056e18127a5cc754170d1641d238cd8639d3a5bc863f9
-
SHA512
f09a709a8cef0293e1c8861bd98650599b3c82ba3d037b8b34526224efb5da53ba1c863146db19f6d145ae25e455ccceb905cf10bb9a9bb8468bcb278beda1ec
-
SSDEEP
3072:cfDwOmBOmvOmUKDHuGxSiQkaTkXu67PApDIPbVz1OdqUJnKSvuiVKSCFZlXRVAP9:jfxLp0k+YopDSVMNKSmT/sU1O
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 56 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0475b19ba5a17fd8e96105893224ebe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0475b19ba5a17fd8e96105893224ebe_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a0475b19ba5a17fd8e96105893224ebe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0475b19ba5a17fd8e96105893224ebe_JaffaCakes118.exe"2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:HsK88hGW="GPhXg";Gb1=new%20ActiveXObject("WScript.Shell");Cgo9Gq="8IbY";AYO8c=Gb1.RegRead("HKCU\\software\\qNzKXOH\\Ds1xL1");cP49bqh="yRIxi2W";eval(AYO8c);LE5TT0J="mBaU";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:phrf2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\66a1e\730ec.lnkFilesize
869B
MD5a147d37dd04ced2a800d8bce2f3fb517
SHA1d46803c313248d267865f9ba0e9bce4af3340233
SHA256ddd840802047c25835a32312f4df276317691a03f2761ff872ff82a28c5275d6
SHA5123b485d02c0d0fa5c7aff79b47b05b06f1582da763e65ea4827d60ef4dbea598356cfcae93cbf1a1773f7811eedc269750680f26b733ceff5bd2acc116d037ee4
-
C:\Users\Admin\AppData\Local\66a1e\9d0e9.batFilesize
58B
MD596ed61043fc4ebbd4b85a3b700e68b58
SHA1500a80d10ed0d9fc8b01b72d4c76e66d4cfec105
SHA2569688c44a2686b1798574ea59a468c89dde3e07eac4c12bc8a16a330f4802f31d
SHA512ee029311eb5e5ba69f293f51757f0412733ced7f1ad0a0fadf3c9c8a040c54fce96bf1951ad51e3c58575d731a339c6fc6bd09525b4453efff7abb947f48d923
-
C:\Users\Admin\AppData\Local\66a1e\a5650.54ebceFilesize
43KB
MD5cf8896d18d1f2d475e2dc3ea026fc0f8
SHA1ba69fe47113f0f8f499a0897abfffb7f8e6d21aa
SHA25667270a6c792bb60b0a8a13d52a04ac2682043e4da7dfca3aa4d355b71287876d
SHA5126dae84000e0d27337cd5bbeec7546bac2915348724cf175e47342bdc7e7b6f50d396ba46d5fceeffa64d948681834c5d3f3723138ecb1be0ccf80bb149005d1b
-
C:\Users\Admin\AppData\Roaming\84941\7ed68.54ebceFilesize
43KB
MD59c5e91b14438e639a921d0813550fcaf
SHA145b269772e0d95c5329a54879517161f48f64d73
SHA256fcc5f64cb260950fb4507fdab9990e1ba09c9a0eaa7894bb0527997c80154647
SHA512bafa051695b3af4d14a167f2310a25b34645bb155533104b831c4a7e007c0f7e6f33195a2af17da0a000fa8605c9a4affadc249806f5d1de09f31a6fba225a13
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\daaa6.lnkFilesize
985B
MD541c3297c81195254bbd1d69b0f9573cb
SHA1290c231f1638062d712f9b2d18ee80f67acc0431
SHA2567188c3f85722b38ad8d2690afc83de366de71766369a13ad27e15237c0dc0e29
SHA51241dc9a9ed77469c3cef5f2cd481fc96166b864ac05b44f9eb12a81dad539d0279f00efcf9c84d495d4c150a09fa80d198b3ae64855fb1542bd87c666936b5044
-
memory/2340-6-0x0000000001CE0000-0x0000000001DBA000-memory.dmpFilesize
872KB
-
memory/2340-11-0x0000000001CE0000-0x0000000001DBA000-memory.dmpFilesize
872KB
-
memory/2340-8-0x0000000001CE0000-0x0000000001DBA000-memory.dmpFilesize
872KB
-
memory/2340-12-0x0000000001CE0000-0x0000000001DBA000-memory.dmpFilesize
872KB
-
memory/2340-7-0x0000000001CE0000-0x0000000001DBA000-memory.dmpFilesize
872KB
-
memory/2340-9-0x0000000001CE0000-0x0000000001DBA000-memory.dmpFilesize
872KB
-
memory/2340-63-0x0000000001CE0000-0x0000000001DBA000-memory.dmpFilesize
872KB
-
memory/2340-5-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2340-4-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2340-2-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2476-36-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-32-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-51-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-50-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-55-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-62-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-54-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-53-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-52-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-20-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-45-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-44-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-42-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-41-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-19-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-25-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-24-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-27-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-28-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-43-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-29-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-30-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-31-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-26-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-33-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-34-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-40-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-39-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-38-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-37-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-23-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2476-35-0x0000000000230000-0x0000000000377000-memory.dmpFilesize
1.3MB
-
memory/2604-22-0x00000000060D0000-0x00000000061AA000-memory.dmpFilesize
872KB
-
memory/2604-18-0x00000000060D0000-0x00000000061AA000-memory.dmpFilesize
872KB
-
memory/2756-76-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB
-
memory/2756-73-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB
-
memory/2756-74-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB
-
memory/2756-75-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB
-
memory/2756-70-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB
-
memory/2756-77-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB
-
memory/2756-78-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB
-
memory/2756-79-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB
-
memory/2756-80-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB
-
memory/2756-81-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB
-
memory/2756-72-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB
-
memory/2756-71-0x0000000000250000-0x0000000000397000-memory.dmpFilesize
1.3MB