Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
18-06-2024 07:50
General
-
Target
ba8dd5eacf990e08bd61dbbc89328600_JaffaCakes118.exe
-
Size
320KB
-
MD5
ba8dd5eacf990e08bd61dbbc89328600
-
SHA1
098712007722fb34b4d47a8d0b289a3f0ee12667
-
SHA256
62b33d9024e2987cb8326827b9fddbc81c74f8bf10abdc8ea7ff7325d3646e66
-
SHA512
9a9b6295a0bd7ea551c4577f6e5d476b3a5885794f1bc24dd56b1c1b7dc77ae7fe0ca0b5b18f949fb5040b533641f86bf07fa93e66b4626c0b88408fc41d620d
-
SSDEEP
6144:qWkHk7Gknm0qSDlhHFj6SWC1e3jKb9wWF/QYD53:8E77m0DhpFOSWlWnFrDZ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 52 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba8dd5eacf990e08bd61dbbc89328600_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ba8dd5eacf990e08bd61dbbc89328600_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ba8dd5eacf990e08bd61dbbc89328600_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ba8dd5eacf990e08bd61dbbc89328600_JaffaCakes118.exe2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:Rj0x4J="XD";eb7=new%20ActiveXObject("WScript.Shell");dMN3I="xb";k0boN=eb7.RegRead("HKLM\\software\\Wow6432Node\\B0EpSZ\\bOaPm2aDJ");snqL05="wTkcq";eval(k0boN);VLZV0q="z";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:kfdurka2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\bfede1\0c9e8c.lnkFilesize
873B
MD5cac2c17220b3670b94427be132c0444e
SHA1312beb6573ace2278770a048cadafb24d570b919
SHA256d3d1bbc05623a2826b9399d4f743fb50467a98d714e1cd11b7b1e7f126b083c6
SHA512d592d6e7d70a9cc6891fc7e0b8e8baead6839162b986025b45621458440e62871af9b52f4930ce28487e86b7863290a2b38a3a19c638ebec0a6ae28f15ff1217
-
C:\Users\Admin\AppData\Local\bfede1\44c570.4029e57Filesize
23KB
MD5e960a17300f5da310d5835f7371e937c
SHA1a2d587fdf6e1b930c30633814e7470d507dc7f62
SHA256c33e0cb764b48042f4940e81c261eb98a747ce96646fe0debef8a830bb867d44
SHA512ea97500e153837a6784352e9306149b144242deab71711f06f7e0f2360d20b83b6188ca8c39bdf63b7c44134fd7450cf061e2182a475be31426fc7f3d8ad585f
-
C:\Users\Admin\AppData\Local\bfede1\ef3aeb.batFilesize
61B
MD58b7e024c7b97a2403aeb424a90c9ed09
SHA1fe1b24291581c902230828c598e34788ae3d40b8
SHA256bf856996a944f68c6c137751874bf0ba8b958f5348fb6a1789c15028c6c735a7
SHA51253f7e2c642d8f0be010d06f06f28552c76d8f876b348a07bb698617229e9a58bfd212d6e95d01ff4ff8a2462dac24ae6de66b536231bea2788027f50acafb117
-
C:\Users\Admin\AppData\Roaming\455a63\046bb1.4029e57Filesize
26KB
MD50adcec98cacc2aa81de4ab7c98aca774
SHA1d1d940876d73d69ccc30f16cd13439f6c94d35a4
SHA256bcdf0b854c5515144df72e351815eb4f8ee8e7adeb61b1df1cbf4b5b3e9b00ce
SHA512578394f785262b1cc4839f5d6a1ffe7aaa2d07068aceef866e0612bf563a201cfb3f7323720c0843f93d25fe0b80faf1d182aa7191c88ec266369ca7c5b92326
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c2667d.lnkFilesize
983B
MD50009f90f5c79c182a4e26fc73427cf9d
SHA118ae215fda0ebbcdf974ea118b0c943a37a00ec0
SHA256becf058a89f58092b19b520d64cbfdc9ef5d5f164ff2e4c7d9cceff6184016b3
SHA512232b4a957cb8807f281b15a4db13834eb29b3663ecc105eb2fe158733c9ec7c9f67539e68b2b98213b1a540be2739718ef86124918598f5c2e94e5273bf446f0
-
memory/924-44-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-48-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-52-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-31-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-35-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-37-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-39-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-40-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-41-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-32-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-43-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-38-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-42-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-45-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-53-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-57-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-74-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-65-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-64-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-63-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-62-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-46-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-54-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-36-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-56-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-55-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-73-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-47-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-49-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-50-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/924-51-0x0000000000260000-0x00000000003A1000-memory.dmpFilesize
1.3MB
-
memory/1456-83-0x00000000001E0000-0x0000000000321000-memory.dmpFilesize
1.3MB
-
memory/1456-80-0x00000000001E0000-0x0000000000321000-memory.dmpFilesize
1.3MB
-
memory/1456-81-0x00000000001E0000-0x0000000000321000-memory.dmpFilesize
1.3MB
-
memory/1456-84-0x00000000001E0000-0x0000000000321000-memory.dmpFilesize
1.3MB
-
memory/1456-85-0x00000000001E0000-0x0000000000321000-memory.dmpFilesize
1.3MB
-
memory/1456-82-0x00000000001E0000-0x0000000000321000-memory.dmpFilesize
1.3MB
-
memory/2352-15-0x0000000001E20000-0x0000000001EF6000-memory.dmpFilesize
856KB
-
memory/2352-18-0x0000000001E20000-0x0000000001EF6000-memory.dmpFilesize
856KB
-
memory/2352-10-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2352-0-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2352-13-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2352-8-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2352-19-0x0000000001E20000-0x0000000001EF6000-memory.dmpFilesize
856KB
-
memory/2352-20-0x0000000001E20000-0x0000000001EF6000-memory.dmpFilesize
856KB
-
memory/2352-16-0x0000000001E20000-0x0000000001EF6000-memory.dmpFilesize
856KB
-
memory/2352-12-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2352-17-0x0000000001E20000-0x0000000001EF6000-memory.dmpFilesize
856KB
-
memory/2352-2-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2352-14-0x0000000001E20000-0x0000000001EF6000-memory.dmpFilesize
856KB
-
memory/2352-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2352-6-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2512-34-0x0000000005CC0000-0x0000000005D96000-memory.dmpFilesize
856KB
-
memory/2512-30-0x0000000005CC0000-0x0000000005D96000-memory.dmpFilesize
856KB
-
memory/2512-33-0x0000000002740000-0x0000000004740000-memory.dmpFilesize
32.0MB