Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
17-06-2024 10:58
General
-
Target
b84100b50a883ab9f16176d2382cc13e_JaffaCakes118.exe
-
Size
379KB
-
MD5
b84100b50a883ab9f16176d2382cc13e
-
SHA1
6f290c5dcffe16d6114fc21d3c77ef230e7c9aa3
-
SHA256
64bb93f682999358b0a45a70851d90ff5f3448633cf4ce1a43e374be6680200e
-
SHA512
d8e64b47ba64ff5f07c398dbe34f5e4c2cdcad16a6bee3f68d540d60bf130f5279cd318be55531a65af69114b9dd20ce2b5d849a0756bba48b5d74060a172b9f
-
SSDEEP
6144:e8/y1i0Ake/A7/ca/cp4gfjlP2crPKOQaL70wx9EXo+WQKWNN:615Aj/Aj7gblPiaLYWSFb
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 57 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b84100b50a883ab9f16176d2382cc13e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b84100b50a883ab9f16176d2382cc13e_JaffaCakes118.exe"1⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:T4Wqs1="03";Pq74=new%20ActiveXObject("WScript.Shell");S9uqEWo8="t";scW3o=Pq74.RegRead("HKCU\\software\\EBW4iUjMUw\\ng2fbnrN1");uigfAr2="TiMtMv";eval(scW3o);RvcWn51="JSXAz";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:ajruww2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\TarD57F.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\cb8d1f\268379.94e8bf0Filesize
23KB
MD5012b7fb830d6dfebb6177d11df623cab
SHA177f85166dffe264f1dc5dfcef77d11508a3b6009
SHA2568041d764dada7f21a2b5e70cb47faf71c006fa9a02f10f38f400c69e1b099bb5
SHA512a358e64138a556b5ae5c3f1847bcf16fa12d28ff601cbe2554bc20d4df0152482c4537886bc24486c75e43b7483651bd270b660b97c65d4b129089d48631537e
-
C:\Users\Admin\AppData\Local\cb8d1f\a81118.batFilesize
70B
MD5d3e26b7369fbcbef9aa2c074ce360ff7
SHA12e35581b15a58dd59c942a35842db95f97cd6e0c
SHA2563c5213d15ac80b23310db202119df262cb1d301de58f80aa84fbf3a2a4e1a579
SHA51232fd9913466a3d9425535fc0e083d6d4f84ec307f15f95f539ad77c95c27893038351e7ad84b38f0219ec59c5b44b5da049e17bfbf36f63e126d9e9efd9e0a3c
-
memory/1148-73-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-71-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-65-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-70-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-72-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-64-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-66-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-69-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-68-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-63-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-61-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-67-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/1148-62-0x0000000000210000-0x000000000035A000-memory.dmpFilesize
1.3MB
-
memory/2440-1-0x0000000000400000-0x00000000004656C8-memory.dmpFilesize
405KB
-
memory/2440-2-0x0000000001D80000-0x0000000001E5C000-memory.dmpFilesize
880KB
-
memory/2440-6-0x0000000001D80000-0x0000000001E5C000-memory.dmpFilesize
880KB
-
memory/2440-4-0x0000000001D80000-0x0000000001E5C000-memory.dmpFilesize
880KB
-
memory/2440-55-0x0000000001D80000-0x0000000001E5C000-memory.dmpFilesize
880KB
-
memory/2440-5-0x0000000001D80000-0x0000000001E5C000-memory.dmpFilesize
880KB
-
memory/2440-9-0x0000000001D80000-0x0000000001E5C000-memory.dmpFilesize
880KB
-
memory/2440-7-0x0000000001D80000-0x0000000001E5C000-memory.dmpFilesize
880KB
-
memory/2440-8-0x0000000000400000-0x00000000004656C8-memory.dmpFilesize
405KB
-
memory/2440-3-0x0000000001D80000-0x0000000001E5C000-memory.dmpFilesize
880KB
-
memory/2440-0-0x0000000000456000-0x0000000000458000-memory.dmpFilesize
8KB
-
memory/2556-37-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-47-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-39-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-36-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-35-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-34-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-33-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-30-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-29-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-28-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-27-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-26-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-25-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-23-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-32-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-22-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-21-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-15-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-40-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-46-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-49-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-51-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-52-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-50-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-48-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-38-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-41-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-31-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-24-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-19-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-20-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2556-18-0x0000000000120000-0x000000000026A000-memory.dmpFilesize
1.3MB
-
memory/2660-17-0x0000000006150000-0x000000000622C000-memory.dmpFilesize
880KB
-
memory/2660-14-0x0000000006150000-0x000000000622C000-memory.dmpFilesize
880KB
-
memory/2660-13-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB