Analysis Overview
SHA256
78074191806c5291da8620b5a2d1f2b5a1f1ae030800f2f0aafc8245454cd1f0
Threat Level: Known bad
The file 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
Modifies firewall policy service
ModiLoader Second Stage
Loads dropped DLL
Executes dropped EXE
Enumerates connected drives
Adds Run key to start application
Installs/modifies Browser Helper Object
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 17:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 17:07
Reported
2024-06-20 17:10
Platform
win7-20231129-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer" | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NvVid.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NvVideoCenter = "C:\\Windows\\system32\\NvVid.exe" | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\v: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\p: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\n: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\j: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\i: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\y: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\r: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\q: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\o: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\u: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\s: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\m: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\l: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\k: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\z: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\x: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\w: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\t: | C:\Windows\SysWOW64\NvVid.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\browser helper obJects\{23314D99-1240-4d4f-A25C-17E44823D048} | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\NvVid.sys | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\NvVid.exe | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\NvVid.exe | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ipv6monl.dll | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\ipv6monl.dll | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1656 set thread context of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\ = "C:\\Windows\\SysWow64\\ipv6monl.dll" | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{23314D99-1240-4d4f-A25C-17E44823D048} | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048} | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
C:\Windows\SysWOW64\NvVid.exe
C:\Windows\system32\NvVid.exe
C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
Network
Files
memory/2344-0-0x0000000000400000-0x0000000000404000-memory.dmp
\Users\Admin\AppData\Local\Temp\tmp107.tmp
| MD5 | 45203d8f70415aa4e19d70dbaae20a06 |
| SHA1 | 63325381fa3b86c1a056809e7c4d83b6a7db6305 |
| SHA256 | d61697bc06aae1b6b617b7d17ffe5be4f0e01946d6e17a7326bf18c0100566a0 |
| SHA512 | dbc38698d259405ab6f901bdc08464eca50391f787c6020821d2ed2effdb4f38d622fe77404833c9bd1b9d45560272048df7703de238890f16d4000b7013da25 |
\Windows\SysWOW64\NvVid.exe
| MD5 | 080e6056bb634db0ca0281f0a2e1f40c |
| SHA1 | fbe3b9e8b738ea92eba1752a707fc312aae500b8 |
| SHA256 | 78074191806c5291da8620b5a2d1f2b5a1f1ae030800f2f0aafc8245454cd1f0 |
| SHA512 | af0b02bc6e0cd2455b59b357cdb123985323c91285f9b0d1e3c278b67f1168b2e0a86104d40f07ef47be6cd3104d635e5269f62d625b2166c71af6b5bd8ffdf4 |
memory/1656-20-0x0000000013140000-0x000000001315F000-memory.dmp
memory/3068-17-0x0000000000400000-0x0000000000416000-memory.dmp
memory/3068-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3068-14-0x0000000000400000-0x0000000000416000-memory.dmp
memory/3068-24-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2344-25-0x0000000000020000-0x0000000000024000-memory.dmp
memory/2344-29-0x0000000000400000-0x0000000000404000-memory.dmp
memory/3052-33-0x0000000000400000-0x0000000000404000-memory.dmp
memory/3068-32-0x0000000000400000-0x0000000000416000-memory.dmp
memory/3068-34-0x0000000000400000-0x0000000000416000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 17:07
Reported
2024-06-20 17:10
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer" | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NvVid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NvVideoCenter = "C:\\Windows\\system32\\NvVid.exe" | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\y: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\q: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\m: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\l: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\k: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\j: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\x: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\w: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\u: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\s: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\r: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\z: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\v: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\o: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\n: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\i: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\t: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\p: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\SysWOW64\NvVid.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\SysWOW64\NvVid.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\browser helper obJects\{23314D99-1240-4d4f-A25C-17E44823D048} | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\NvVid.sys | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\NvVid.exe | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\NvVid.exe | C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ipv6monl.dll | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\ipv6monl.dll | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2648 set thread context of 2356 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{23314D99-1240-4d4f-A25C-17E44823D048} | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048} | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\ = "C:\\Windows\\SysWow64\\ipv6monl.dll" | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp107.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
C:\Windows\SysWOW64\NvVid.exe
C:\Windows\system32\NvVid.exe
C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
Network
Files
memory/4788-0-0x0000000000400000-0x0000000000404000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
| MD5 | 45203d8f70415aa4e19d70dbaae20a06 |
| SHA1 | 63325381fa3b86c1a056809e7c4d83b6a7db6305 |
| SHA256 | d61697bc06aae1b6b617b7d17ffe5be4f0e01946d6e17a7326bf18c0100566a0 |
| SHA512 | dbc38698d259405ab6f901bdc08464eca50391f787c6020821d2ed2effdb4f38d622fe77404833c9bd1b9d45560272048df7703de238890f16d4000b7013da25 |
memory/4788-9-0x0000000000400000-0x0000000000404000-memory.dmp
C:\Windows\SysWOW64\NvVid.exe
| MD5 | 080e6056bb634db0ca0281f0a2e1f40c |
| SHA1 | fbe3b9e8b738ea92eba1752a707fc312aae500b8 |
| SHA256 | 78074191806c5291da8620b5a2d1f2b5a1f1ae030800f2f0aafc8245454cd1f0 |
| SHA512 | af0b02bc6e0cd2455b59b357cdb123985323c91285f9b0d1e3c278b67f1168b2e0a86104d40f07ef47be6cd3104d635e5269f62d625b2166c71af6b5bd8ffdf4 |
memory/2648-14-0x0000000013140000-0x000000001315F000-memory.dmp
memory/2356-15-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2356-18-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2356-10-0x0000000000400000-0x0000000000416000-memory.dmp