Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
18-06-2024 13:38
General
-
Target
bc383c949e2fa230cb2cc945b1c6535f_JaffaCakes118.exe
-
Size
312KB
-
MD5
bc383c949e2fa230cb2cc945b1c6535f
-
SHA1
cb88a41cbf44d5b7109c4ce71f09cc61ff37d1c4
-
SHA256
554d26bd54183554daa46c9140b63552c798a718ad189b07a71059378ef8e6d3
-
SHA512
2128443d747e8f02b724c73b7e9ff0ca613ef7f4d8d7649e0391f0d049f9fc0cc1c08ac37628bfb1c34a753813262c05f26b4ab122433a52c7da50432ffd5cc9
-
SSDEEP
6144:l1wWsAmf6Uj3Bav0xUzgSwnEaY3+2/Pv3yhTRSbiWI3Uu7DTOogV6:0VAbMccGcSwnjQ7HAIBI3tD6l6
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 53 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc383c949e2fa230cb2cc945b1c6535f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc383c949e2fa230cb2cc945b1c6535f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bc383c949e2fa230cb2cc945b1c6535f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\bc383c949e2fa230cb2cc945b1c6535f_JaffaCakes118.exe2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:z4W1co="TCWo8bGx";RU2=new%20ActiveXObject("WScript.Shell");ao0GPq="9pubGCTM";Pxn6w6=RU2.RegRead("HKLM\\software\\Wow6432Node\\Ym0FcI67l\\bhvcXrcq");MaOW4EL4b="sk";eval(Pxn6w6);aA12yK="N";1⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:mgrdgdtr2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\7358d4\2d9c5e.1879f4fFilesize
33KB
MD50fc2a90f922c7db831dbb7402df71895
SHA1f91ed2d384fb731802b4672483756f7004242ce2
SHA2567276b58c89a6af95faf49fefa0d8f76674e91655458d6b9a2e94df131934b8b1
SHA512fe92f1249ead9e450469f744116d20e1cd1890772be573fab29a2c444d99a4ae14f11522e65ac6b52fc7ad6fb701e00292edf87551e9a689c9b7b0ab8104991d
-
C:\Users\Admin\AppData\Local\7358d4\6d45a7.batFilesize
61B
MD514adc766d85da95cd0990ed6bcc1524d
SHA1e3c8f83a8fbfea658c9139d3e670d609745fb848
SHA2560245cf83462c2d8f2453beb1094af0133caee498c1ab5147ee361cb8a449c1c4
SHA512b4172624d668b6c1e7519cca9cbb53645ecc8b9aa1e4908801fd81983b092ed7ad26e3e29047ff5dc4e7744ee9f08dc61765133fa5957926cb4518127f4b60b8
-
C:\Users\Admin\AppData\Local\7358d4\e5ae70.lnkFilesize
877B
MD52eac216aea6212a07422630515788145
SHA1af0be2710a0f33168bda02803489c5c1ee3e9390
SHA25646fb8c191f050e10f26155bed6ec064326910b70f2053ced1be78850309d8297
SHA512511e179534b2ff3f38973d0f5938c00bf2315edb19c9cb5135f8083af03c4acb4dbae2cd5cdcb00f0e13d3919b85362792490e6840ee672c0462cbd5226b9e93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94d0f9.lnkFilesize
987B
MD58161c39ba953516c0e1008122e640aed
SHA180b14501ee4741738d9d92791c32551ce3e83081
SHA2563cec5b4cece43ef5d00d06f572d9d64c98efcc86c78965d5a2b48daefae5daa5
SHA5121863100267a4a3148a4540a166309d8accd17eeb22743bd5b0af4f092d86a89e43336e3c908058dab3d9dcfdc5f25433225f65979215867d0dc952ca5300ca16
-
C:\Users\Admin\AppData\Roaming\e53183\8858ab.1879f4fFilesize
15KB
MD562d3627c14ebc28756d835aa645330d2
SHA1950cd1c4bff3e67eda5a0e8aee57caa17216453f
SHA256173bb4100fda04cbc9600f6d0e265ee61f569792dd3a735454251982fd9c0491
SHA5125cb606db9b746dae2199d56277710eee963a27c65765706739433ef1936a416fd3de07c57059bc34e7dd235975c31db8a288a1add4bf3f46e9c18a631526e2c1
-
memory/1700-43-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-46-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-68-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-40-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-41-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-42-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-44-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-45-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-67-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-47-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-52-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-31-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-33-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-53-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-35-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-36-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-37-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-38-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-39-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-48-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-50-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-51-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-74-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-54-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-55-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-66-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-49-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-56-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-57-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-65-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-64-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1700-62-0x0000000000110000-0x0000000000251000-memory.dmpFilesize
1.3MB
-
memory/1996-13-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1996-17-0x0000000001D20000-0x0000000001DF6000-memory.dmpFilesize
856KB
-
memory/1996-2-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1996-10-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1996-20-0x0000000001D20000-0x0000000001DF6000-memory.dmpFilesize
856KB
-
memory/1996-19-0x0000000001D20000-0x0000000001DF6000-memory.dmpFilesize
856KB
-
memory/1996-15-0x0000000001D20000-0x0000000001DF6000-memory.dmpFilesize
856KB
-
memory/1996-16-0x0000000001D20000-0x0000000001DF6000-memory.dmpFilesize
856KB
-
memory/1996-0-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1996-6-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1996-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1996-8-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1996-12-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1996-14-0x0000000001D20000-0x0000000001DF6000-memory.dmpFilesize
856KB
-
memory/1996-18-0x0000000001D20000-0x0000000001DF6000-memory.dmpFilesize
856KB
-
memory/2280-75-0x0000000000120000-0x0000000000261000-memory.dmpFilesize
1.3MB
-
memory/2280-76-0x0000000000120000-0x0000000000261000-memory.dmpFilesize
1.3MB
-
memory/2280-79-0x0000000000120000-0x0000000000261000-memory.dmpFilesize
1.3MB
-
memory/2280-78-0x0000000000120000-0x0000000000261000-memory.dmpFilesize
1.3MB
-
memory/2280-80-0x0000000000120000-0x0000000000261000-memory.dmpFilesize
1.3MB
-
memory/2280-77-0x0000000000120000-0x0000000000261000-memory.dmpFilesize
1.3MB
-
memory/2700-34-0x0000000006240000-0x0000000006316000-memory.dmpFilesize
856KB
-
memory/2700-29-0x0000000006240000-0x0000000006316000-memory.dmpFilesize
856KB