Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 18:34

General

  • Target

    08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe

  • Size

    807KB

  • MD5

    08b0a0606c5218531babab185a80e2d5

  • SHA1

    083ebd56e8e093f8dc9e38579fa94a6518c98e59

  • SHA256

    cd7aadb8f27d40522b004279eeb351ffe94ef864a0cc8cb8072ba44c5c3578f0

  • SHA512

    ddc0d827a572a0cba460bdc5dcbc51b2cb361dfdfcefc182ef7aeb944a575eaca70a7c6e71c4651b8f6dbe57dd8382f6ba5ed9d40c9dfd822b712d70305c175f

  • SSDEEP

    24576:FYkjlzgR+tmbs1t9qgYohxfloUZhjaoJKwbgy:FYszhtmMKcoUvPJKwbgy

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • ModiLoader Second Stage 9 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Deletes itself 1 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 17 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 53 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 2 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:336
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
      PID:864
      • C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /F /T /R
        2⤵
          PID:1376
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1372
          • C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1440
            • C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
              08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
              3⤵
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1688
              • C:\Users\Admin\eQDewf74.exe
                C:\Users\Admin\eQDewf74.exe
                4⤵
                • Modifies visiblity of hidden/system files in Explorer
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2680
                • C:\Users\Admin\merop.exe
                  "C:\Users\Admin\merop.exe"
                  5⤵
                  • Modifies visiblity of hidden/system files in Explorer
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:1104
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c tasklist&&del eQDewf74.exe
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2776
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2820
              • C:\Users\Admin\aihost.exe
                C:\Users\Admin\aihost.exe
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2548
                • C:\Users\Admin\aihost.exe
                  aihost.exe
                  5⤵
                  • Executes dropped EXE
                  • Maps connected drives based on registry
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3004
              • C:\Users\Admin\bihost.exe
                C:\Users\Admin\bihost.exe
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2996
                • C:\Users\Admin\bihost.exe
                  bihost.exe
                  5⤵
                  • Executes dropped EXE
                  • Maps connected drives based on registry
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2240
              • C:\Users\Admin\cihost.exe
                C:\Users\Admin\cihost.exe
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2480
                • C:\Users\Admin\cihost.exe
                  C:\Users\Admin\cihost.exe startC:\Users\Admin\AppData\Roaming\C0C4A\D4D83.exe%C:\Users\Admin\AppData\Roaming\C0C4A
                  5⤵
                  • Executes dropped EXE
                  PID:1824
                • C:\Users\Admin\cihost.exe
                  C:\Users\Admin\cihost.exe startC:\Program Files (x86)\4A449\lvvm.exe%C:\Program Files (x86)\4A449
                  5⤵
                  • Executes dropped EXE
                  PID:2652
                • C:\Program Files (x86)\LP\836C\B50D.tmp
                  "C:\Program Files (x86)\LP\836C\B50D.tmp"
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:1988
              • C:\Users\Admin\dihost.exe
                C:\Users\Admin\dihost.exe
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2964
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  5⤵
                    PID:3036
                • C:\Users\Admin\eihost.exe
                  C:\Users\Admin\eihost.exe
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2984
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c tasklist&&del 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
                  4⤵
                  • Deletes itself
                  PID:2844
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist
                    5⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2876
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2420
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2268
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
            1⤵
              PID:1956
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:1808

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4

                Filesize

                300B

                MD5

                da828cc072fc77f50ff90fb5db92bced

                SHA1

                222e40ec652991b2d3cb80967950d213176ccd98

                SHA256

                80373662d97a94e5c35e971ee0d114dcf579267ac9821eb7386788c612dec1d5

                SHA512

                fd509f98636750d94e2061194da1a2cbf061b966a748373c86a1da71de0cb6ba34149f7164d2b7f1bcf316472bd2cba5a03eaf7630a1453274fc0abf142a8805

              • C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4

                Filesize

                600B

                MD5

                4720ad52b10ded6396df3b7d28329c5b

                SHA1

                ee639bd4da482e66f5f913edf1b37eaed70b591a

                SHA256

                a08c71133ac10e332df87303481eb6bcdf8ceac57df9bf6ad1c16f97d58103c9

                SHA512

                2731bd21e95768fa84209300079b57ca159542489b9edca23e0a8565ce346c9f7d192b874736cb12f1eba3bf8fb64c2e760fcbd35699278656bef4f686974d32

              • C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4

                Filesize

                996B

                MD5

                e23eea83ff603ff3a0f596f808828356

                SHA1

                820f6e3eff93bc4b6ffb9e8a0634e0a3abf167f8

                SHA256

                a3580f504f3d2ea770f4b113ac987e18c5a4787dc36eb81c005d9cfc6c14d2db

                SHA512

                754146ede76aa1eddc8210a0d2d56f90008c856b5c045a55c586bdf86e97a0acdc51976dffc79ec3e196a8fb0dc4a128252126c8383440ed1f8bbce5f64f8510

              • C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4

                Filesize

                1KB

                MD5

                c1caaf6e8b87e9818e9c305218db827e

                SHA1

                da8466c1901ca767a94b39fb0eb2f2344c8c3c8f

                SHA256

                f5e4ed2c5b4b7dd76c456cdfa7d0ee62dfa1e605d56ca146754ce3b0715ffe60

                SHA512

                c9e47ac9035d069185cb07252499745607718b641e0bdcd13d0c0840538737e3680977e5e53b1d3348f4a8472494de6865fadce4063d69a931010f2a1cf5131a

              • C:\Users\Admin\cihost.exe

                Filesize

                279KB

                MD5

                4df3241b8f53ad2d1c0bba6dc1b97e02

                SHA1

                f0c43893143a3442a453f56c9c4f740941b1d097

                SHA256

                407e0425757e28262c3054c1dc981a9f41cf83cd67ecfbf37d3b8fe74db54199

                SHA512

                e90e4a8b708fb9d3213f73e641fa39625a38fa969270ef1123206fb30d04837f018b9838aa02a234265c0b9ba765f567b748a7b73c437b96daba7a15e5e38663

              • C:\Users\Admin\eihost.exe

                Filesize

                28KB

                MD5

                f06f7a3945f4f78ee2c6d1ed35cbb5be

                SHA1

                ac1ab0f60a94286b6f01b40431e6f87f6e9899bf

                SHA256

                a2c720d07e18b73143b040ab817bad7da98ed2a262d55e6119b9cbd8b93dbbe3

                SHA512

                23f1fc1f15aab030c3d19a1c166479a52659b91dac00fff1301ddfd6e5e62279d45ec176f2e891098eb0d613d1f148952bf71341227b35f52c3bc2bf5fcdad14

              • \??\globalroot\systemroot\assembly\temp\@

                Filesize

                2KB

                MD5

                6500e5fd603660eb2b6729779c9a428c

                SHA1

                557043e6aa1685fe8a34fad7fbcc6dbec057b2f0

                SHA256

                ab51a0675834728b0a444f1859ad4b560bf3fb5f8e420f61894bea168785dfb2

                SHA512

                b4ccd0b3efdf082f9a03f3c04fa2a61bf5d5bb0cc54fe76df155977a2958e857785c047d055196bc9035cb413cac622115e0fd7c4dd96fa9404e31269c7e1fe9

              • \Program Files (x86)\LP\836C\B50D.tmp

                Filesize

                100KB

                MD5

                4c04ec47c44bc997519e18ce5f20e9d6

                SHA1

                680968fe85eaa19ac68b8dabf3371dd81684ed83

                SHA256

                446ddf0822deef56cedbfa0910143c744835ed765d128408d9ea994a569581a2

                SHA512

                e33e959e25d09152c1f64d60a7733f7c7a1dfd9f0bee6ed1f8aa18cf5e5248442e365d211c4555e0723b4e23e97c0a99d43b8fe6538cc9c77f0d39fd73616279

              • \Users\Admin\aihost.exe

                Filesize

                229KB

                MD5

                c7b9733430c4bf7f56a0c89d7f2dd9cf

                SHA1

                0a894c98e17a8c81a378a37c2230cf188932d21e

                SHA256

                8047916855a52a9b5e97c010e8fc2dc01a9ed91d2798a6869f8669ea4a92940d

                SHA512

                4aefe0746e896c00bc908128ba63e13d2abed9e839d13da14042365afb81d85bf75537292f7323a56694258ddec7a88b57202721b62651cfcbef2932c0cb2464

              • \Users\Admin\bihost.exe

                Filesize

                119KB

                MD5

                386fef8fdb975e7c102921910db7f9fb

                SHA1

                cdf3f86411189db08c8c0f887f26c2572ecc0889

                SHA256

                ae06d784c51702aff587d235d48de3b1162872069fac4602d921d023527efae0

                SHA512

                6ab8c2721c81bdff414e8cdbd7ca006abf3ed8c0155510d6c92555885038f33c1cf08372302b6465196f69aa15a7305fb05eb2e12026f1fc96a797646b8d2352

              • \Users\Admin\dihost.exe

                Filesize

                244KB

                MD5

                88537f3fd69e60683c4467e89b7651af

                SHA1

                2c14a9010bed93b0622efe283a34de343ca33244

                SHA256

                4a7897e22ad30c516920e6441dc360a98114f15d9652b89909758f4966029692

                SHA512

                b3d070628092558770e08386eeabf69efc613ce163ce1f50cc00a81a78cbec6b667a84a4f09144b7f0c145ec28929b78deee4f7cab10ce7ac9a2f9c536ce8084

              • \Users\Admin\eQDewf74.exe

                Filesize

                180KB

                MD5

                42836a2ee8ce9deef8d846272ef3949f

                SHA1

                79f698c53e56c96c859a0155e02a24c93e120145

                SHA256

                5569f623253918233149531fbd49bd624af013695bf0f7d8b53ef58b062e6a37

                SHA512

                786802f71512228215ddac4d23a7eec6e8cfb8ab4c02ba0a03b06241431e70c202e845ce08222945f668218d91dd6630e9e5499be0b44fda7b3dc29e98231d85

              • \Users\Admin\merop.exe

                Filesize

                180KB

                MD5

                10ee467c5a813c878106b2cd53ad843e

                SHA1

                c7677950669e79418430936f2e8a66707e5536bf

                SHA256

                cd6746d196735ede609a5a8cecadd1619d8dfcb1fa8e1dce8c6f9d6611b25cec

                SHA512

                6331fa32fd1b8dacca8cf65c0db4cee6a65b81cb3da6f2b0c81534f9694421777e86c79330fde0b7f5fc5209c2dd0c6248d852a556229fa24b330d89cacae37f

              • \Windows\System32\consrv.dll

                Filesize

                53KB

                MD5

                63e99b675a1337db6d8430195ea3efd2

                SHA1

                1baead2bf8f433dc82f9b2c03fd65ce697a92155

                SHA256

                6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

                SHA512

                f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

              • \Windows\assembly\GAC_32\Desktop.ini

                Filesize

                4KB

                MD5

                758f90d425814ea5a1d2694e44e7e295

                SHA1

                64d61731255ef2c3060868f92f6b81b4c9b5fe29

                SHA256

                896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433

                SHA512

                11858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9

              • memory/1440-10-0x0000000000400000-0x0000000000417000-memory.dmp

                Filesize

                92KB

              • memory/1688-4-0x0000000000400000-0x0000000000515000-memory.dmp

                Filesize

                1.1MB

              • memory/1688-407-0x0000000000400000-0x0000000000515000-memory.dmp

                Filesize

                1.1MB

              • memory/1688-0-0x0000000000400000-0x0000000000515000-memory.dmp

                Filesize

                1.1MB

              • memory/1688-2-0x0000000000400000-0x0000000000515000-memory.dmp

                Filesize

                1.1MB

              • memory/1688-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

              • memory/1688-12-0x0000000000400000-0x0000000000515000-memory.dmp

                Filesize

                1.1MB

              • memory/1688-13-0x0000000000400000-0x0000000000515000-memory.dmp

                Filesize

                1.1MB

              • memory/1688-6-0x0000000000400000-0x0000000000515000-memory.dmp

                Filesize

                1.1MB

              • memory/1688-14-0x0000000000400000-0x0000000000515000-memory.dmp

                Filesize

                1.1MB

              • memory/1688-111-0x0000000000400000-0x0000000000515000-memory.dmp

                Filesize

                1.1MB

              • memory/1688-15-0x0000000000400000-0x0000000000515000-memory.dmp

                Filesize

                1.1MB

              • memory/1824-155-0x0000000000400000-0x000000000046B000-memory.dmp

                Filesize

                428KB

              • memory/2240-79-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

              • memory/2240-81-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

              • memory/2240-87-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

              • memory/2240-92-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

              • memory/2240-93-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

              • memory/2240-94-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

              • memory/2240-83-0x0000000000400000-0x0000000000427000-memory.dmp

                Filesize

                156KB

              • memory/2480-153-0x0000000000400000-0x000000000046B000-memory.dmp

                Filesize

                428KB

              • memory/2548-68-0x0000000000400000-0x0000000000416000-memory.dmp

                Filesize

                88KB

              • memory/2964-156-0x00000000004A0000-0x00000000004DC000-memory.dmp

                Filesize

                240KB

              • memory/2964-164-0x00000000004A0000-0x00000000004DC000-memory.dmp

                Filesize

                240KB

              • memory/2964-160-0x00000000004A0000-0x00000000004DC000-memory.dmp

                Filesize

                240KB

              • memory/2964-166-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/2964-229-0x00000000004A0000-0x00000000004DC000-memory.dmp

                Filesize

                240KB

              • memory/2996-89-0x0000000000400000-0x0000000000416000-memory.dmp

                Filesize

                88KB

              • memory/3004-151-0x0000000000400000-0x0000000000437000-memory.dmp

                Filesize

                220KB

              • memory/3004-56-0x0000000000400000-0x0000000000437000-memory.dmp

                Filesize

                220KB

              • memory/3004-59-0x0000000000400000-0x0000000000437000-memory.dmp

                Filesize

                220KB

              • memory/3004-62-0x0000000000400000-0x0000000000437000-memory.dmp

                Filesize

                220KB

              • memory/3004-66-0x0000000000400000-0x0000000000437000-memory.dmp

                Filesize

                220KB

              • memory/3004-54-0x0000000000400000-0x0000000000437000-memory.dmp

                Filesize

                220KB

              • memory/3004-70-0x0000000000400000-0x0000000000437000-memory.dmp

                Filesize

                220KB

              • memory/3004-52-0x0000000000400000-0x0000000000437000-memory.dmp

                Filesize

                220KB