modiloader | 9523efa6997c29824eaf3158e89eb2c3518caeeec3cae81a1c0b2fa20d35eeb5

General

Target

0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
Size

378KB
MD5

0101bcdc94d1def6f0e8fd99584e477e
SHA1

afbe107ac927a958374b58179b935780999fc784
SHA256

9523efa6997c29824eaf3158e89eb2c3518caeeec3cae81a1c0b2fa20d35eeb5
SHA512

98d509ce117d318ca7c84503efeb3be2219d7bd206fdec35e45c6c8d5cca71fe8fa1a28fdc4d50e6b1215134ac9899c59359016c136885bb717d591f7bd20b7f
SSDEEP

6144:pt8B9aLBD9UPcbZ3C6TI6T49fsN6w/gl349MbdYkekMXHoZegm3CU7k99voSe0D:HxZu6Z3C6TI6Co6LloOSoMXHJP3CUy9N

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\javaupd.exe = "C:\\Windows\\system32\\javaupd.exe:*:Enabled:Explorer"	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

ModiLoader Second Stage 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2448-52-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2448-53-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2448-54-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2448-48-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2448-46-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2448-44-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2448-42-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2448-50-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2448-57-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2448-55-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2448-68-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

javaqs.exejavaqs.exe

pid process

2356 javaqs.exe
2448 javaqs.exe
Loads dropped DLL 3 IoCs

Processes:

0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exejavaqs.exe

pid process

1580 0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
1580 0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
2356 javaqs.exe

pid	process
2356	javaqs.exe
2448	javaqs.exe

pid	process
1580	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
1580	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
2356	javaqs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kaspersky Email Security = "C:\\Windows\\system32\\javaupd.exe"	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

Processes:

0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\KB1090891424.log	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\javaqs.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\javaupd.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\javaupd.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exejavaqs.exe

description	pid	process	target process
PID 2664 set thread context of 1580	2664	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2356 set thread context of 2448	2356	javaqs.exe	javaqs.exe

Drops file in Program Files directory 64 IoCs

Processes:

0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

description	ioc	process
File created	C:\program files\tesla\files\Half life 3 preview 10 minutes gameplay video.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\icq\shared folder\TCN ISO SigmaX2 firmware.bin.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\icq\shared folder\Absolute Video Converter 6.2.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\grokster\my grokster\Joannas Horde Leveling Guide TBC Woltk.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\limewire\shared\xbox360 flashing tools and guide including bricked drive fix.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\tesla\files\Adobe Acrobat Reader keygen.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\winmx\shared\Divx Pro 6.8.0.19 + keymaker.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\grokster\my grokster\Tuneup Ultilities 2008.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\tesla\files\Divx Pro 6.8.0.19 + keymaker.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\tesla\files\xbox360 flashing tools and guide including bricked drive fix.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\winmx\shared\WinRAR v3.x keygen RaZoR.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\winmx\shared\Internet Download Manager V5.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\limewire\shared\Download Accelerator Plus v8.7.5.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\limewire\shared\Tuneup Ultilities 2008.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\tesla\files\TCN ISO cable modem hacking tools.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\winmx\shared\Half life 3 preview 10 minutes gameplay video.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\icq\shared folder\Motorola, nokia, ericsson mobil phone tools.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\grokster\my grokster\Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\Norton Anti-Virus 2009 Enterprise Crack.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\Half life 3 preview 10 minutes gameplay video.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\winmx\shared\Wow WoLTk keygen generator-sfx.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\winmx\shared\Kaspersky Internet Security 2009 keygen.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\icq\shared folder\CleanMyPC Registry Cleaner v6.02.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\TCN ISO cable modem hacking tools.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\LimeWire Pro v4.18.3.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\morpheus\my shared folder\Super Utilities Pro 2009 11.0.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\winmx\shared\Daemon Tools Pro 4.11.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\icq\shared folder\Password Cracker.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\icq\shared folder\Kaspersky Internet Security 2009 keygen.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\Microsoft Visual Studio 2008 KeyGen.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\morpheus\my shared folder\LimeWire Pro v4.18.3.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\limewire\shared\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\tesla\files\BitDefender AntiVirus 2009 Keygen.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\morpheus\my shared folder\Myspace theme collection.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\tesla\files\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\icq\shared folder\Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\icq\shared folder\Daemon Tools Pro 4.11.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\grokster\my grokster\Kaspersky Internet Security 2009 keygen.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\Power ISO v4.2 + keygen axxo.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\morpheus\my shared folder\BitDefender AntiVirus 2009 Keygen.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\icq\shared folder\K-Lite codec pack 4.0 gold.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\icq\shared folder\Joannas Horde Leveling Guide TBC Woltk.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\limewire\shared\Download Boost 2.0.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\icq\shared folder\Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\Smart Draw 2008 keygen.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\Windows XP PRO Corp SP3 valid-key generator.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\tesla\files\Tuneup Ultilities 2008.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\morpheus\my shared folder\Alcohol 120 v1.9.7.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\limewire\shared\Super Utilities Pro 2009 11.0.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\limewire\shared\Kaspersky Internet Security 2009 keygen.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\grokster\my grokster\Internet Download Manager V5.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\Absolute Video Converter 6.2.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\Super Utilities Pro 2009 11.0.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\FOOTBALL MANAGER 2009.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\tesla\files\Red Alert 3 keygen and trainer.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\tesla\files\Download Boost 2.0.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\grokster\my grokster\Norton Anti-Virus 2009 Enterprise Crack.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\emule\incoming\Adobe Acrobat Reader keygen.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\limewire\shared\Adobe Photoshop CS4 crack.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\tesla\files\Sophos antivirus updater bypass.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\winmx\shared\Download Boost 2.0.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
File created	C:\program files\winmx\shared\Perfect keylogger family edition with crack.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exejavaqs.exejavaqs.exe

description	pid	process	target process
PID 2664 wrote to memory of 1580	2664	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580	2664	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580	2664	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580	2664	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580	2664	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580	2664	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580	2664	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580	2664	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580	2664	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 2664 wrote to memory of 1580	2664	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
PID 1580 wrote to memory of 2356	1580	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	javaqs.exe
PID 1580 wrote to memory of 2356	1580	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	javaqs.exe
PID 1580 wrote to memory of 2356	1580	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	javaqs.exe
PID 1580 wrote to memory of 2356	1580	0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe	javaqs.exe
PID 2356 wrote to memory of 2448	2356	javaqs.exe	javaqs.exe
PID 2356 wrote to memory of 2448	2356	javaqs.exe	javaqs.exe
PID 2356 wrote to memory of 2448	2356	javaqs.exe	javaqs.exe
PID 2356 wrote to memory of 2448	2356	javaqs.exe	javaqs.exe
PID 2356 wrote to memory of 2448	2356	javaqs.exe	javaqs.exe
PID 2356 wrote to memory of 2448	2356	javaqs.exe	javaqs.exe
PID 2356 wrote to memory of 2448	2356	javaqs.exe	javaqs.exe
PID 2356 wrote to memory of 2448	2356	javaqs.exe	javaqs.exe
PID 2356 wrote to memory of 2448	2356	javaqs.exe	javaqs.exe
PID 2356 wrote to memory of 2448	2356	javaqs.exe	javaqs.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe
PID 2448 wrote to memory of 1656	2448	javaqs.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\0101bcdc94d1def6f0e8fd99584e477e_JaffaCakes118.exe
2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\javaqs.exe
"C:\Windows\system32\javaqs.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\javaqs.exe
C:\Windows\SysWOW64\javaqs.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\javaqs.exe
Filesize
155KB

MD5
e4a50779ce4afc2eae51db7d550e8d4b

SHA1
db23b06bdb4ff3e9ac5e76080ca863c112a6c262

SHA256
19ba29b55ec53bc54faaf02cb344667a4a5c3ce210aa14daa55ca5a7c31292c7

SHA512
20187d00c6bfae560ade24b7481603849419830dec52298c8afbffd0d00d912d7864bec13c48559eef57a98823b42f1d9e003436a2dd83ce5ac8775dd3131d65

Download Submit
memory/1580-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-2-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-12-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-8-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-19-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-5-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-69-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-6-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-23-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-14-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-88-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-83-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-10-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-78-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2448-53-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-44-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-42-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-50-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-57-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-55-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-59-0x0000000010410000-0x0000000010455000-memory.dmp

Filesize
276KB

Download
memory/2448-68-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-46-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-48-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-52-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads