modiloader | ba47864634c9c8fc246aa68f1d4474f6e0da31530ed61de9599f0730ed778d5a

General

Target

02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
Size

171KB
MD5

02738410c473a8b778eb4581c64ead77
SHA1

7f98caffd32f44b496509073439402dc3118db63
SHA256

ba47864634c9c8fc246aa68f1d4474f6e0da31530ed61de9599f0730ed778d5a
SHA512

c95c8ffd75806cbed7f04e8ccfa11d88c1a87402a2dcf501b6beb6aba0fb5e72edc524d81db4a1e5ce41b2d388842b43221a8baf51b2d9b4ecaeb85daed5ca0c
SSDEEP

3072:AKl+dV9Nn9b6OwF4428+Fsk0pqY6niulKL4eA4bjp6/UHkgJa:lsV9pt6OwFvPMskNniukjIUHRJa

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2520-18-0x0000000010000000-0x000000001002D000-memory.dmp	modiloader_stage2

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

description	pid	process	target process
PID 2520 set thread context of 1104	2520	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

Processes:

02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\PCGWIN32.LI5 02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\PCGWIN32.LI5	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

Modifies registry class 6 IoCs

Processes:

02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{5B1ED788-B0E65835-F3544BA7-8210100F}	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{5B1ED788-B0E65835-F3544BA7-8210100F}\ = 65ce4271e8211f91404727ba1e1ebe026261b13c6b5f6e8293b871982000c39601baa098b4389adf3802e1f7039abe7fa2e2eec1ac88d0ae023227a605cae8ee945238b7a0d5c6bbe4a168ccedafafad0df370519ffcc29cefc0927879d9a4c345b1289fe93d689c8bbe09a2e8302c99d3f881257f64e25908c471756c682d17ec05506481153f74e2d5df4b0216d975f8a425d40bfad65eb4bd241fbf4bfc25e7f22e6f4db2701ee7031a5e7f036229c1b4702823355617f5faa860f151284855ef042d08904f8212d877ba9aa6f82adeb17cdcdffdbd9c1fbe42dc47bc2a9e280249b108ab4989ac13d0f6861aa4bf1462c5572bbab65fa442c8a1904cc42f488d0d2fac72d1673cda1e39039b81b9039b3139149bb4f916db34b9199bbf391dd803fe0ee2f3009efd43e3cee9ed37d02a0736eadbc981d07f75a2a42ec7edcad091cf4c52edbfd01d83009134339be6391b60fea59db73f6a62cf89d2b7f7a52a7b281e17fdca5f57428a09d1c88436cbab6eb1d3dff6bd95a3b7d6257bd81e0543a7c6a5abd4098570d86701da3b7e2663db0686db3a79a158bf7b9d9e0382e6903478dbdb81c16bc3b65954bc071caac3ef3632a41686fbfb59a644f51568040f8a8d4e336d6e4c73b12e5fd3424e5f6d8210aef192640869f76c1a9180709017bcca624f19528447269a45beb46294c78a157674e56517088a0daeb3cc518c78cc9b0e816d500ccd6f10f28c508e35aca84c9e313e50732bbe09ec2338fa1cd57347d3cf74ce1eaa737a36fad96b68998a865ea708575a2b087069b7b1a3de9b69f92c23d116033aa699ba789e9f3c3ddfe0fdece33009dbc8b9926370a6ad542f7bf29e297cab1f71c264186583f87e5a9d0740ba5120442bdb767e251d27bf4addef03ad0ef3ed51900c4971ec9ced808c7b4fde923d0e60f35519f8845b963eba9c5f3cc25d21bc8bdd698074f96960d4ff76a2253e5863fbbe61dc248085b20be72eba4d9e2cc20c66af3b529e81023317260565c4d84a8757fa0a61d7d035bbe41994444865f3f829605451090c50cfc70da5ac3b4d5e90433ed61d0540a7e185a49738455f184283d1194300763a55e7c87510588b7b91de8b7c565fcb0236ff655d64bc191e3b025e3703ea26a9b42b2a6e08b373e1169b7bb99e23fce69ccabe0e222df133d39ec13c171f0a42ef27921536846b794ea4d314013b9419bafc9ea2431006bcebe26e1e4d3d10e03087a97a6c9f8d3d2fdcf2fcdee23c28e32d911333b6a11ad33f011d0080f522a45f5942c4cffb0da66cb46de4105a3fff9d9d430366996bc7ee350c14adc54c544fb9b22367163a759e18fc3c1e6303d6397ae05f984204e7b625da84f8869caabe6f22d2c9c117ccca0fd0d236b9e51bbb465985c4d70af591677cfa61a068ceeb0c364fa4525637852a176935ec1891c7f0ba6f67d2eabfd7e28a7f71e2dccfc1b2b8695d8880107101242be7ee1a6c80717e509d8d7f93624e5113bcce624d7f70a22f6ed26d496c90cd0a4ff772e51fd702056fe4f2c89ff6c2244fd932c75fe5c227afda2dfe901cfffde2e3afd9523bbfe662f469d8944279b724d5a8f7d255f8f8a4e6648ac790c5f9f764652588972a35ef17f24a2111fc74a3eb3969a0689e6bbcae1eb2fd6723ca8ec992ac886f4d92cc38cde3ccd97303decec3ec8ed0b2021ee7bce5e007ceca92f678d4e5462b8b96e9b4eb94893a8f9f2dc2ccd72ebaad9e8ffccd606f2bf2b6e014b239a61f0ac2e996177abadfa0fdcadf767d1b9c86fce5dcc4bca9a08b1029b18f938df18f632d06938bc10917344a6b4f16f20416a58578545bb7865a9a7f80626ff1321ce9436c1e713c149f0a424997344a2b4f91527ff7a22a18693a282169878c05b0745695fb8b199178031f9e42c3f11e6f43127e79e3e47e581d034086b52aab4f899270c6138ab9c81b2a014f3012ed778cea12aeb9ecd812c74f7a52a7ffda1dc17c901d8c7cf2df687d3160a87336e625346495db78bea5e31b5606cb6bae36d32a7697e57a9461f9902449556c38b12054b3075efa43677e6a9d377c255f6882d759454448b5336826298a8b28092c2b2f6e8ded53937ec96377eeea129079c01c1c4103d4397ae45f96020407b46adaef0652150137839ad13807235a763925245465f5c498b704ea594f80f2a8d1b0c42e4bed8e302ca62f7a5259094450c9c977706a295754fac92674552774b515e738d56777ea9ab7c0dad2014e6cf35199fcc35f5942045945b888a6caa4c82a8eb14cd4afc72d8aec8833d6d6b4f5a418d53cb8dd9a83c041a0acde6c424d394ca0cddf53c20e594dbcac1eacc353d13effdd1d403c95223bd11e870225c1bb47a16adc4fbdb29fa03d65a3e4e9c7f3eaa97173d49ecb02ae387359a604551b444647cbaa9651cb44365914bc379eea424f3f72a2270eda537f8e62ac21ac172e7ad3d90e47cd0ad091c30b7636eb5b8e06cd1a7041e70cfa11998b7829991378061da4bf66dd6bc3965974b82722eaf70e1aadbe9362f1a7ab458928f4eda953b3462945f0e4ef7632252868c98db3ef11ad78f35f19c200573c7adf1fbd3d235c563f4b220e8eed4c7051af78d29b8f41d270096b50ee094c17714a2437db2a79b6582a3f30e267302aad49afecadae6c2cef73326e59ed444c3b112170a4a328910b872905e8986e866dd430461fd542bbc9e1483f7562284fd3d24e4e6d0d308c26127547287a11d98f7b0d1e13bd4623fb5e598304d947fbaaa1d643b4cee432469ffb42998fc7725559f884e2499630749095ca77c81ab0c16427a7ba35592b781659b4bc189e7982582efbad1eb3bcd19e77822a5e493dd4dc847e06a3752198ecfb2fe6d2a5cf5412c53ee4ddb77f95a2c726a5c5abe4f6fb6b26d6cbb5d6e80573d816874505d4488b57d6ca4510c8b9eba3ce995344c60b8591c4c72bd5117bfcdea28208c6ac2ad22f060d05ccf84e67539a3ec1e3f0195dc4c0c4afd80d38b019a23ba09e103cc121f30bd1b6471aba47deaac29046bcfb62990fc7f25558f887e0e5a487a4a5c5d87445e928b073d5a6389a1ab83f1e9dc37fe1a23f4ee24dfe6c1cb301a12787ba755f2442a5b127a71a757914e0fbb521d490074d7a4c67710a9cf77d6a60b16fd8d2c34f7e52a33fcee2ed7f4ca2932ec60dd54cb8cfa652d437ba959e37c36a4691c5bff85d9d00bf971dfafcdf1f82bda09fe4bd74631bfe46dcc5828ba8c92e0fad12d0c1379c6a004989e8b36ba96e3753da8606659578789ba7465a5b47464aa59164833b49de2c3dafa3f25117884a0e090c0b334ea1335f5682cb3849246c3b2fe6f2556e789321f9c09b2bc1ee03b33e661cebff2e9d8c036e46b37b19de037d5e5cc33f89e22f01ada7af65d274496534c4a824d04bc436581bbd81df63bd4edf8d7d8f1c72bfe11d3000a422a4c798754454d90703eab60e9ab3fe91a2fbc0992ac76f357224271a2af9ae9b1239309f13bdf69f6b7d8e200cb52de850cd0f4c0d935001071c7a43d91e434326be65a2d878782563f83622d5b10b5cce81ec0fced20cfeef1ced0113c8f689a4135676856b372e253358663b3b265e84fd46a05b1e7ebda3e0b1	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{5B1ED788-B0E65835-F3544BA7-8210100F}\ = 2a88dc09e8211f91404727ba1e1ebe026261b13c6b5f6e8293b871982000c39601baa098b4389adf3802e1f7039abe7fa2e2eec1ac88d0ae023227a605cae8ee945238b7a0d5c6bbe4a168ccedafafad0df370519ffcc29cefc0927879d9a4c345b1289fe93d689c8bbe09a2e8302c99d3f881257f64e25908c471756c682d17ec05506481153f74e2d5df4b0216d975f8a425d40bfad65eb4bd241f45c248efe0f22e6f4db2701ee7031a5e7f036229c1b4702823355617f5faa860f151284855ef042d08904f8212d877ba9aa6f82adeb17cdcdffdbd9c1fbe42dc47bc2a9e280249b108ab4989ac13d0f6861aa4bf1462c5572bbab65fa442c8a1904cc42f488d0d2fac72d1673cda1e39039b81b9039b3139149bb4f916db34b9199bbf391dd803fe0ee2f3009efd43e3cee9ed37d02a0736eadbc981d07f75a2a42ec7edcad091cf4c52edbfd01d83009134339be6391b60fea59db73f6a62cf89d2b7f7a52a7b281e17fdca5f57428a09d1c88436cbab6eb1d3dff6bd95a3b7d6257bd81e0543a7c6a5abd4098570d86701da3b7e2663db0686db3a79a158bf7b9d9e0382e6903478dbdb81c16bc3b65954bc071caac3ef3632a41686fbfb59a644f51568040f8a8d4e336d6e4c73b12e5fd3424e5f6d8210aef192640869f76c1a9180709017bcca624f19528447269a45beb46294c78a157674e56517088a0daeb3cc518c78cc9b0e816d500ccd6f10f28c508e35aca84c675c3450732bbe09ec2338fa1cd57347d3cf74ce1eaa737a36fad96b68998a865ea708575a2b087069b7b1a3de9b69f92c23d116033aa699ba789e9f3c3ddfe0fdece33009dbc8b9926370a6ad542f7bf29e297cab1f71c264186583f87e5a9d0740ba5120442bdb767e251d27bf4addef03ad0ef3ed51900c4971ec9ced808c7b4fde923d0e60f35519f8845b963eba9c5f3cc25d21bc8bdd698074f96960d4ff76a2253e5863fbbe61dc248085b20be72eba4d9e2cc20c66af3b529e81023317260565c4d84a8757fa0a61d7d035bbe41994444865f3f829605451090c50cfc70da5ac3b4d5e90433ed61d0540a7e185a49738455f184283d1194300763a55e7c87510588b7b91de8b7c565fcb0236ff655d64bc191e3b025e3703ea26a9b42b2a6e08b373e1169b7bb99e23fce69ccabe0e222df133d39ec13c171f0a42ef27921536846b794ea4d314013b9419bafc9ea2431006bcebe26e1e4d3d10e03087a97a6c9f8d3d2fdcf2fcdee23c28e32d911333b6a11ad33f011d0080f522a45f5942c4cffb0da66cb46de4105a3fff9d9d430366996bc7ee350c14adc54c544fb9b22367163a759e18fc3c1e6303d6397ae05f984204e7b625da84f8869caabe6f22d2c9c117ccca0fd0d236b9e51bbb465985c4d70af591677cfa61a068ceeb0c364fa4525637852a176935ec1891c7f0ba6f67d2eabfd7e28a7f71e2dccfc1b2b8695d8880107101242be7ee1a6c80717e509d8d7f93624e5113bcce624d7f70a22f6ed26d496c90cd0a4ff772e51fd702056fe4f2c89ff6c2244fd932c75fe5c227afda2dfe901cfffde2e3afd9523bbfe662f469d8944279b724d5a8f7d255f8f8a4e6648ac790c5f9f764652588972a35ef17f24a2111fc74a3eb3969a0689e6bbcae1eb2fd6723ca8ec992ac886f4d92cc38cde3ccd97303decec3ec8ed0b2021ee7bce5e007ceca92f678d4e5462b8b96e9b4eb94893a8f9f2dc2ccd72ebaad9e8ffccd606f2bf2b6e014b239a61f0ac2e996177abadfa0fdcadf767d1b9c86fce5dcc4bca9a08b1029b18f938df18f632d06938bc10917344a6b4f16f20416a58578545bb7865a9a7f80626ff1321ce9436c1e713c149f0a424997344a2b4f91527ff7a22a18693a282169878c05b0745695fb8b199178031f9e42c3f11e6f43127e79e3e47e581d034086b52aab4f899270c6138ab9c81b2a014f3012ed778cea12aeb9ecd812c74f7a52a7ffda1dc17c901d8c7cf2df687d3160a87336e625346495db78bea5e31b5606cb6bae36d32a7697e57a9461f9902449556c38b12054b3075efa43677e6a9d377c255f6882d759454448b5336826298a8b28092c2b2f6e8ded53937ec96377eeea129079c01c1c4103d4397ae45f96020407b46adaef0652150137839ad13807235a763925245465f5c498b704ea594f80f2a8d1b0c42e4bed8e302ca62f7a5259094450c9c977706a295754fac92674552774b515e738d56777ea9ab7c0dad2014e6cf35199fcc35f5942045945b888a6caa4c82a8eb14cd4afc72d8aec8833d6d6b4f5a418d53cb8dd9a83c041a0acde6c424d394ca0cddf53c20e594dbcac1eacc353d13effdd1d403c95223bd11e870225c1bb47a16adc4fbdb29fa03d65a3e4e9c7f3eaa97173d49ecb02ae387359a604551b444647cbaa9651cb44365914bc379eea424f3f72a2270eda537f8e62ac21ac172e7ad3d90e47cd0ad091c30b7636eb5b8e06cd1a7041e70cfa11998b7829991378061da4bf66dd6bc3965974b82722eaf70e1aadbe9362f1a7ab458928f4eda953b3462945f0e4ef7632252868c98db3ef11ad78f35f19c200573c7adf1fbd3d235c563f4b220e8eed4c7051af78d29b8f41d270096b50ee094c17714a2437db2a79b6582a3f30e267302aad49afecadae6c2cef73326e59ed444c3b112170a4a328910b872905e8986e866dd430461fd542bbc9e1483f7562284fd3d24e4e6d0d308c26127547287a11d98f7b0d1e13bd4623fb5e598304d947fbaaa1d643b4cee432469ffb42998fc7725559f884e2499630749095ca77c81ab0c16427a7ba35592b781659b4bc189e7982582efbad1eb3bcd19e77822a5e493dd4dc847e06a3752198ecfb2fe6d2a5cf5412c53ee4ddb77f95a2c726a5c5abe4f6fb6b26d6cbb5d6e80573d816874505d4488b57d6ca4510c8b9eba3ce995344c60b8591c4c72bd5117bfcdea28208c6ac2ad22f060d05ccf84e67539a3ec1e3f0195dc4c0c4afd80d38b019a23ba09e103cc121f30bd1b6471aba47deaac29046bcfb62990fc7f25558f887e0e5a487a4a5c5d87445e928b073d5a6389a1ab83f1e9dc37fe1a23f4ee24dfe6c1cb301a12787ba755f2442a5b127a71a757914e0fbb521d490074d7a4c67710a9cf77d6a60b16fd8d2c34f7e52a33fcee2ed7f4ca2932ec60dd54cb8cfa652d437ba959e37c36a4691c5bff85d9d00bf971dfafcdf1f82bda09fe4bd74631bfe46dcc5828ba8c92e0fad12d0c1379c6a004989e8b36ba96e3753da8606659578789ba7465a5b47464aa59164833b49de2c3dafa3f25117884a0e090c0b334ea1335f5682cb3849246c3b2fe6f2556e789321f9c09b2bc1ee03b33e661cebff2e9d8c036e46b37b19de037d5e5cc33f89e22f01ada7af65d274496534c4a824d04bc436581bbd81df63bd4edf8d7d8f1c72bfe11d3000a422a4c798754454d90703eab60e9ab3fe91a2fbc0992ac76f357224271a2af9ae9b1239309f13bdf69f6b7d8e200cb52de850cd0f4c0d935001071c7a43d91e434326be65a2d878782563f83622d5b10b5cce81ec0fced20cfeef1ced0113c8f689a4135676856b372e253358663b3b265e84fd46a05b1e7ebda3e0b1	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{FFB1FF17-58C4FF86-A7750091}	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\{FFB1FF17-58C4FF86-A7750091}\ = "3211623428"	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{5B1ED788-B0E65835-F3544BA7-8210100F}\ = e66e58b0e8211f91404727ba1e1ebe026261b13c6f23033d93b871982000c39601baa098b4389adf3802e1f7039abe7fa2e2eec1ac88d0ae023227a605cae8ee945238b7a0d5c6bbe4a168ccedafafad0df370519ffcc29cefc0927879d9a4c345b1289fe93d689c8bbe09a2e8302c99d3f881257f64e25908c471756c682d17ec05506481153f74e2d5df4b0216d975f8a425d40bfad65eb4bd241f45c248efe0f22e6f4db2701ee7031a5e7f036229c1b4702823355617f5faa860f151284855ef042d08904f8212d877ba9aa6f82adeb17cdcdffdbd9c1fbe42dc47bc2a9e280249b108ab4989ac13d0f6861aa4bf1462c5572bbab65fa442c8a1904cc42f488d0d2fac72d1673cda1e39039b81b9039b3139149bb4f916db34b9199bbf391dd803fe0ee2f3009efd43e3cee9ed37d02a0736eadbc981d07f75a2a42ec7edcad091cf4c52edbfd01d83009134339be6391b60fea59db73f6a62cf89d2b7f7a52a7b281e17fdca5f57428a09d1c88436cbab6eb1d3dff6bd95a3b7d6257bd81e0543a7c6a5abd4098570d86701da3b7e2663db0686db3a79a158bf7b9d9e0382e6903478dbdb81c16bc3b65954bc071caac3ef3632a41686fbfb59a644f51568040f8a8d4e336d6e4c73b12e5fd3424e5f6d8210aef192640869f76c1a9180709017bcca624f19528447269a45beb46294c78a157674e56517088a0daeb3cc518c78cc9b0e816d500ccd6f10f28c508e35aca84c675c3450732bbe09ec2338fa1cd57347d3cf74ce1eaa737a36fad96b68998a865ea708575a2b087069b7b1a3de9b69f92c23d116033aa699ba789e9f3c3ddfe0fdece33009dbc8b9926370a6ad542f7bf29e297cab1f71c264186583f87e5a9d0740ba5120442bdb767e251d27bf4addef03ad0ef3ed51900c4971ec9ced808c7b4fde923d0e60f35519f8845b963eba9c5f3cc25d21bc8bdd698074f96960d4ff76a2253e5863fbbe61dc248085b20be72eba4d9e2cc20c66af3b529e81023317260565c4d84a8757fa0a61d7d035bbe41994444865f3f829605451090c50cfc70da5ac3b4d5e90433ed61d0540a7e185a49738455f184283d1194300763a55e7c87510588b7b91de8b7c565fcb0236ff655d64bc191e3b025e3703ea26a9b42b2a6e08b373e1169b7bb99e23fce69ccabe0e222df133d39ec13c171f0a42ef27921536846b794ea4d314013b9419bafc9ea2431006bcebe26e1e4d3d10e03087a97a6c9f8d3d2fdcf2fcdee23c28e32d911333b6a11ad33f011d0080f522a45f5942c4cffb0da66cb46de4105a3fff9d9d430366996bc7ee350c14adc54c544fb9b22367163a759e18fc3c1e6303d6397ae05f984204e7b625da84f8869caabe6f22d2c9c117ccca0fd0d236b9e51bbb465985c4d70af591677cfa61a068ceeb0c364fa4525637852a176935ec1891c7f0ba6f67d2eabfd7e28a7f71e2dccfc1b2b8695d8880107101242be7ee1a6c80717e509d8d7f93624e5113bcce624d7f70a22f6ed26d496c90cd0a4ff772e51fd702056fe4f2c89ff6c2244fd932c75fe5c227afda2dfe901cfffde2e3afd9523bbfe662f469d8944279b724d5a8f7d255f8f8a4e6648ac790c5f9f764652588972a35ef17f24a2111fc74a3eb3969a0689e6bbcae1eb2fd6723ca8ec992ac886f4d92cc38cde3ccd97303decec3ec8ed0b2021ee7bce5e007ceca92f678d4e5462b8b96e9b4eb94893a8f9f2dc2ccd72ebaad9e8ffccd606f2bf2b6e014b239a61f0ac2e996177abadfa0fdcadf767d1b9c86fce5dcc4bca9a08b1029b18f938df18f632d06938bc10917344a6b4f16f20416a58578545bb7865a9a7f80626ff1321ce9436c1e713c149f0a424997344a2b4f91527ff7a22a18693a282169878c05b0745695fb8b199178031f9e42c3f11e6f43127e79e3e47e581d034086b52aab4f899270c6138ab9c81b2a014f3012ed778cea12aeb9ecd812c74f7a52a7ffda1dc17c901d8c7cf2df687d3160a87336e625346495db78bea5e31b5606cb6bae36d32a7697e57a9461f9902449556c38b12054b3075efa43677e6a9d377c255f6882d759454448b5336826298a8b28092c2b2f6e8ded53937ec96377eeea129079c01c1c4103d4397ae45f96020407b46adaef0652150137839ad13807235a763925245465f5c498b704ea594f80f2a8d1b0c42e4bed8e302ca62f7a5259094450c9c977706a295754fac92674552774b515e738d56777ea9ab7c0dad2014e6cf35199fcc35f5942045945b888a6caa4c82a8eb14cd4afc72d8aec8833d6d6b4f5a418d53cb8dd9a83c041a0acde6c424d394ca0cddf53c20e594dbcac1eacc353d13effdd1d403c95223bd11e870225c1bb47a16adc4fbdb29fa03d65a3e4e9c7f3eaa97173d49ecb02ae387359a604551b444647cbaa9651cb44365914bc379eea424f3f72a2270eda537f8e62ac21ac172e7ad3d90e47cd0ad091c30b7636eb5b8e06cd1a7041e70cfa11998b7829991378061da4bf66dd6bc3965974b82722eaf70e1aadbe9362f1a7ab458928f4eda953b3462945f0e4ef7632252868c98db3ef11ad78f35f19c200573c7adf1fbd3d235c563f4b220e8eed4c7051af78d29b8f41d270096b50ee094c17714a2437db2a79b6582a3f30e267302aad49afecadae6c2cef73326e59ed444c3b112170a4a328910b872905e8986e866dd430461fd542bbc9e1483f7562284fd3d24e4e6d0d308c26127547287a11d98f7b0d1e13bd4623fb5e598304d947fbaaa1d643b4cee432469ffb42998fc7725559f884e2499630749095ca77c81ab0c16427a7ba35592b781659b4bc189e7982582efbad1eb3bcd19e77822a5e493dd4dc847e06a3752198ecfb2fe6d2a5cf5412c53ee4ddb77f95a2c726a5c5abe4f6fb6b26d6cbb5d6e80573d816874505d4488b57d6ca4510c8b9eba3ce995344c60b8591c4c72bd5117bfcdea28208c6ac2ad22f060d05ccf84e67539a3ec1e3f0195dc4c0c4afd80d38b019a23ba09e103cc121f30bd1b6471aba47deaac29046bcfb62990fc7f25558f887e0e5a487a4a5c5d87445e928b073d5a6389a1ab83f1e9dc37fe1a23f4ee24dfe6c1cb301a12787ba755f2442a5b127a71a757914e0fbb521d490074d7a4c67710a9cf77d6a60b16fd8d2c34f7e52a33fcee2ed7f4ca2932ec60dd54cb8cfa652d437ba959e37c36a4691c5bff85d9d00bf971dfafcdf1f82bda09fe4bd74631bfe46dcc5828ba8c92e0fad12d0c1379c6a004989e8b36ba96e3753da8606659578789ba7465a5b47464aa59164833b49de2c3dafa3f25117884a0e090c0b334ea1335f5682cb3849246c3b2fe6f2556e789321f9c09b2bc1ee03b33e661cebff2e9d8c036e46b37b19de037d5e5cc33f89e22f01ada7af65d274496534c4a824d04bc436581bbd81df63bd4edf8d7d8f1c72bfe11d3000a422a4c798754454d90703eab60e9ab3fe91a2fbc0992ac76f357224271a2af9ae9b1239309f13bdf69f6b7d8e200cb52de850cd0f4c0d935001071c7a43d91e434326be65a2d878782563f83622d5b10b5cce81ec0fced20cfeef1ced0113c8f689a4135676856b372e253358663b3b265e84fd46a05b1e7ebda3e0b1	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

description	pid	process	target process
PID 2520 wrote to memory of 1104	2520	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
PID 2520 wrote to memory of 1104	2520	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
PID 2520 wrote to memory of 1104	2520	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
PID 2520 wrote to memory of 1104	2520	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
PID 2520 wrote to memory of 1104	2520	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe	02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Local\Temp\02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
2⤵
PID:1104

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PCGWIN32.LI5
Filesize
2KB

MD5
acf5b207bf53601aad9c1b5e6cb95e06

SHA1
d196453bb4094fbd8649326aea7a53b996a671fb

SHA256
05101625250ed504cc635d08c848791871d0df6d601a1682abcbef0bb40d5246

SHA512
f2961385e82c658954906908fe4f9b3a34c71dbac818b7e49fbf90c7a3b84f1301cd877f597914691db2caaeda7e02324a98b1f52eac2548e7d76bb0e066fa0b

Download Submit
memory/1104-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1104-20-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/1104-17-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2520-3-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/2520-2-0x0000000010009000-0x000000001002D000-memory.dmp

Filesize
144KB

Download
memory/2520-1-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/2520-19-0x0000000010009000-0x000000001002D000-memory.dmp

Filesize
144KB

Download
memory/2520-18-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads