Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
16-06-2024 14:47
General
-
Target
b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe
-
Size
476KB
-
MD5
b40e7591d3334624579042161dbaeacb
-
SHA1
2b27b42bd458e6d582f1b54932e5744fc82855ad
-
SHA256
63c8979bce14d879fbfa7263d37ea4433d7268dde1add2beda5040a52bb0792f
-
SHA512
61c941db8214464f82fb153f820d84fc80969b8ce0ade624cd2c8e95c5d66d3ee357e36f6de8e0f63e1e4f72712994968895a47a117252c2a5218ef68a558a5d
-
SSDEEP
12288:kiV3E6TOPUzsnL7JmB3eHYC0H1iX78q7q92X2T:tE6TOPUzs/JmByYrVzZ
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
ModiLoader Second Stage 38 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Adds policy Run key to start application
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/8-34-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/8-63-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-62-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-48-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-43-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-45-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-46-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-49-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-51-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-50-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-47-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-44-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-42-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-40-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-41-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-39-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-38-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-36-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/8-37-0x0000000000EA0000-0x0000000000F6C000-memory.dmpFilesize
816KB
-
memory/8-32-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/1212-18-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/1212-15-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/1212-23-0x0000000000720000-0x00000000007EC000-memory.dmpFilesize
816KB
-
memory/1212-26-0x0000000000720000-0x00000000007EC000-memory.dmpFilesize
816KB
-
memory/1212-24-0x0000000000720000-0x00000000007EC000-memory.dmpFilesize
816KB
-
memory/1212-25-0x0000000000720000-0x00000000007EC000-memory.dmpFilesize
816KB
-
memory/1212-21-0x0000000000720000-0x00000000007EC000-memory.dmpFilesize
816KB
-
memory/1212-22-0x0000000000720000-0x00000000007EC000-memory.dmpFilesize
816KB
-
memory/1212-20-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/3532-58-0x0000000000850000-0x000000000091C000-memory.dmpFilesize
816KB
-
memory/3532-52-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/3532-57-0x0000000000850000-0x000000000091C000-memory.dmpFilesize
816KB
-
memory/3532-59-0x0000000000850000-0x000000000091C000-memory.dmpFilesize
816KB
-
memory/3532-60-0x0000000000850000-0x000000000091C000-memory.dmpFilesize
816KB
-
memory/3532-61-0x0000000000850000-0x000000000091C000-memory.dmpFilesize
816KB
-
memory/3532-56-0x0000000000850000-0x000000000091C000-memory.dmpFilesize
816KB
-
memory/3532-53-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/3532-55-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/3788-9-0x00000000022E0000-0x00000000023AC000-memory.dmpFilesize
816KB
-
memory/3788-0-0x00000000023C0000-0x00000000024C0000-memory.dmpFilesize
1024KB
-
memory/3788-5-0x00000000022E0000-0x00000000023AC000-memory.dmpFilesize
816KB
-
memory/3788-17-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/3788-7-0x00000000022E0000-0x00000000023AC000-memory.dmpFilesize
816KB
-
memory/3788-6-0x00000000022E0000-0x00000000023AC000-memory.dmpFilesize
816KB
-
memory/3788-8-0x00000000022E0000-0x00000000023AC000-memory.dmpFilesize
816KB
-
memory/3788-3-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/3788-11-0x00000000022E0000-0x00000000023AC000-memory.dmpFilesize
816KB
-
memory/3788-2-0x00000000023C0000-0x00000000024C0000-memory.dmpFilesize
1024KB
-
memory/3788-1-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/4256-64-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/4256-65-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/4256-67-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/4256-68-0x0000000000660000-0x000000000072C000-memory.dmpFilesize
816KB