modiloader | 21e5d0544922b8df3b3e76148004184570715428cce71fa771d6bd53436f4a52

General

Target

72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
Size

812KB
MD5

72da2354774e05eeb43fe06ea0d94144
SHA1

673943c26f75aeb5bebd1118fecbb46632c60fef
SHA256

21e5d0544922b8df3b3e76148004184570715428cce71fa771d6bd53436f4a52
SHA512

e964c440ac945ec77aebde350dd4720f6cb4475229b399fbd1ef40fdc6ec65461fe845a482f40e2a3d69234bd6b6a6714d65e126e871dacf577dac3d1dd088e5
SSDEEP

12288:4YknjLpsBNoLE126lU1tMGjYIFW4+zyZGumGgTtrDJrPsfL4oTO27uqULG1R:4Ykjlsr+8lUCpeZM3BDhPC5u/G

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

bxpTXK8W.exepuoivo.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bxpTXK8W.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	puoivo.exe

ModiLoader Second Stage 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2104-4-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2
behavioral2/memory/2812-8-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/2812-7-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/2812-12-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
C:\Users\Admin\akhost.exe	modiloader_stage2
behavioral2/memory/408-50-0x0000000000400000-0x0000000000416000-memory.dmp	modiloader_stage2
C:\Users\Admin\bkhost.exe	modiloader_stage2
behavioral2/memory/4624-58-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2
behavioral2/memory/2812-70-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/2812-90-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/2812-93-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bxpTXK8W.exe72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	bxpTXK8W.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe

Executes dropped EXE 9 IoCs

Processes:

bxpTXK8W.exeakhost.exepuoivo.exeakhost.exebkhost.exebkhost.execkhost.exedkhost.exeekhost.exe

pid process

3292 bxpTXK8W.exe
408 akhost.exe
4252 puoivo.exe
3504 akhost.exe
4624 bkhost.exe
1884 bkhost.exe
4532 ckhost.exe
4936 dkhost.exe
1188 ekhost.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2812-0-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/2812-1-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/2812-6-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/2812-8-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/2812-7-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/2812-12-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/1884-54-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1884-55-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1884-62-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1884-61-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1884-60-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2812-70-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/2812-90-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/2812-93-0x0000000000400000-0x0000000000516000-memory.dmp	upx

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

puoivo.exebxpTXK8W.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /r"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /F"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /g"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /n"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /J"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /p"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /e"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /S"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /U"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /K"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /M"	bxpTXK8W.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /L"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /c"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /v"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /H"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /d"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /x"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /R"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /y"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /w"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /P"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /k"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /M"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /q"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /C"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /s"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /T"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /D"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /m"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /t"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /j"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /X"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /h"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /N"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /l"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /z"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /i"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /E"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /G"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /o"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /I"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /Q"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /f"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /u"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /W"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /Y"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /a"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /Z"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /O"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /B"	puoivo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoivo = "C:\\Users\\Admin\\puoivo.exe /b"	puoivo.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

akhost.exebkhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	akhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	akhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bkhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	bkhost.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3176 tasklist.exe
3476 tasklist.exe

pid	process
3176	tasklist.exe
3476	tasklist.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exeakhost.exebkhost.exedkhost.exe

description	pid	process	target process
PID 2104 set thread context of 2812	2104	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
PID 408 set thread context of 3504	408	akhost.exe	akhost.exe
PID 4624 set thread context of 1884	4624	bkhost.exe	bkhost.exe
PID 4936 set thread context of 2992	4936	dkhost.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3436 4532 WerFault.exe ckhost.exe

pid	pid_target	process	target process
3436	4532	WerFault.exe	ckhost.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.execkhost.exedkhost.exeekhost.exetasklist.exetasklist.exe72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exebxpTXK8W.exebkhost.exeakhost.exepuoivo.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dkhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxpTXK8W.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bkhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	akhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puoivo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bxpTXK8W.exeakhost.exepuoivo.exebkhost.exe

pid	process
3292	bxpTXK8W.exe
3292	bxpTXK8W.exe
3292	bxpTXK8W.exe
3292	bxpTXK8W.exe
3504	akhost.exe
3504	akhost.exe
3504	akhost.exe
3504	akhost.exe
3504	akhost.exe
3504	akhost.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
1884	bkhost.exe
1884	bkhost.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
3504	akhost.exe
3504	akhost.exe
3504	akhost.exe
3504	akhost.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
3504	akhost.exe
3504	akhost.exe
3504	akhost.exe
3504	akhost.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe
4252	puoivo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tasklist.exedkhost.exetasklist.exe

description pid process

Token: SeDebugPrivilege 3176 tasklist.exe
Token: SeDebugPrivilege 4936 dkhost.exe
Token: SeDebugPrivilege 3476 tasklist.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exebxpTXK8W.exepuoivo.exeekhost.exe

pid process

2812 72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
3292 bxpTXK8W.exe
4252 puoivo.exe
1188 ekhost.exe

description	pid	process
Token: SeDebugPrivilege	3176	tasklist.exe
Token: SeDebugPrivilege	4936	dkhost.exe
Token: SeDebugPrivilege	3476	tasklist.exe

pid	process
2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
3292	bxpTXK8W.exe
4252	puoivo.exe
1188	ekhost.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exebxpTXK8W.execmd.exeakhost.exebkhost.exedkhost.execmd.exe

description	pid	process	target process
PID 2104 wrote to memory of 2812	2104	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
PID 2104 wrote to memory of 2812	2104	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
PID 2104 wrote to memory of 2812	2104	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
PID 2104 wrote to memory of 2812	2104	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
PID 2104 wrote to memory of 2812	2104	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
PID 2104 wrote to memory of 2812	2104	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
PID 2104 wrote to memory of 2812	2104	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
PID 2104 wrote to memory of 2812	2104	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
PID 2812 wrote to memory of 3292	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	bxpTXK8W.exe
PID 2812 wrote to memory of 3292	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	bxpTXK8W.exe
PID 2812 wrote to memory of 3292	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	bxpTXK8W.exe
PID 2812 wrote to memory of 408	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	akhost.exe
PID 2812 wrote to memory of 408	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	akhost.exe
PID 2812 wrote to memory of 408	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	akhost.exe
PID 3292 wrote to memory of 4252	3292	bxpTXK8W.exe	puoivo.exe
PID 3292 wrote to memory of 4252	3292	bxpTXK8W.exe	puoivo.exe
PID 3292 wrote to memory of 4252	3292	bxpTXK8W.exe	puoivo.exe
PID 3292 wrote to memory of 3000	3292	bxpTXK8W.exe	cmd.exe
PID 3292 wrote to memory of 3000	3292	bxpTXK8W.exe	cmd.exe
PID 3292 wrote to memory of 3000	3292	bxpTXK8W.exe	cmd.exe
PID 3000 wrote to memory of 3176	3000	cmd.exe	tasklist.exe
PID 3000 wrote to memory of 3176	3000	cmd.exe	tasklist.exe
PID 3000 wrote to memory of 3176	3000	cmd.exe	tasklist.exe
PID 408 wrote to memory of 3504	408	akhost.exe	akhost.exe
PID 408 wrote to memory of 3504	408	akhost.exe	akhost.exe
PID 408 wrote to memory of 3504	408	akhost.exe	akhost.exe
PID 408 wrote to memory of 3504	408	akhost.exe	akhost.exe
PID 408 wrote to memory of 3504	408	akhost.exe	akhost.exe
PID 408 wrote to memory of 3504	408	akhost.exe	akhost.exe
PID 408 wrote to memory of 3504	408	akhost.exe	akhost.exe
PID 408 wrote to memory of 3504	408	akhost.exe	akhost.exe
PID 408 wrote to memory of 3504	408	akhost.exe	akhost.exe
PID 2812 wrote to memory of 4624	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	bkhost.exe
PID 2812 wrote to memory of 4624	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	bkhost.exe
PID 2812 wrote to memory of 4624	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	bkhost.exe
PID 4624 wrote to memory of 1884	4624	bkhost.exe	bkhost.exe
PID 4624 wrote to memory of 1884	4624	bkhost.exe	bkhost.exe
PID 4624 wrote to memory of 1884	4624	bkhost.exe	bkhost.exe
PID 4624 wrote to memory of 1884	4624	bkhost.exe	bkhost.exe
PID 4624 wrote to memory of 1884	4624	bkhost.exe	bkhost.exe
PID 4624 wrote to memory of 1884	4624	bkhost.exe	bkhost.exe
PID 4624 wrote to memory of 1884	4624	bkhost.exe	bkhost.exe
PID 4624 wrote to memory of 1884	4624	bkhost.exe	bkhost.exe
PID 2812 wrote to memory of 4532	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	ckhost.exe
PID 2812 wrote to memory of 4532	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	ckhost.exe
PID 2812 wrote to memory of 4532	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	ckhost.exe
PID 2812 wrote to memory of 4936	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	dkhost.exe
PID 2812 wrote to memory of 4936	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	dkhost.exe
PID 2812 wrote to memory of 4936	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	dkhost.exe
PID 4936 wrote to memory of 2992	4936	dkhost.exe	cmd.exe
PID 4936 wrote to memory of 2992	4936	dkhost.exe	cmd.exe
PID 4936 wrote to memory of 2992	4936	dkhost.exe	cmd.exe
PID 4936 wrote to memory of 2992	4936	dkhost.exe	cmd.exe
PID 2812 wrote to memory of 1188	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	ekhost.exe
PID 2812 wrote to memory of 1188	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	ekhost.exe
PID 2812 wrote to memory of 1188	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	ekhost.exe
PID 2812 wrote to memory of 804	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	cmd.exe
PID 2812 wrote to memory of 804	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	cmd.exe
PID 2812 wrote to memory of 804	2812	72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe	cmd.exe
PID 804 wrote to memory of 3476	804	cmd.exe	tasklist.exe
PID 804 wrote to memory of 3476	804	cmd.exe	tasklist.exe
PID 804 wrote to memory of 3476	804	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\bxpTXK8W.exe
C:\Users\Admin\bxpTXK8W.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292

C:\Users\Admin\puoivo.exe
"C:\Users\Admin\puoivo.exe"
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del bxpTXK8W.exe
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Users\Admin\akhost.exe
C:\Users\Admin\akhost.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\akhost.exe
akhost.exe
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3504

C:\Users\Admin\bkhost.exe
C:\Users\Admin\bkhost.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\bkhost.exe
bkhost.exe
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1884

C:\Users\Admin\ckhost.exe
C:\Users\Admin\ckhost.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 396
4⤵
- Program crash
PID:3436

C:\Users\Admin\dkhost.exe
C:\Users\Admin\dkhost.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
PID:2992

C:\Users\Admin\ekhost.exe
C:\Users\Admin\ekhost.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 72da2354774e05eeb43fe06ea0d94144_JaffaCakes118.exe
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4532 -ip 4532
1⤵
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Process Discovery

1

T1057

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\akhost.exe
Filesize
229KB

MD5
2c895814249b3630f5ef87aef065a6d2

SHA1
785a02f3a3c958fb2f3fa7ce26860b65da34939d

SHA256
cc6377f8d451bd5ceb97d95409b74c9589f86edd47fead3db05e3a3dbfc6204a

SHA512
14e786deb9917c57dbdb6468a5b6b05ef0aacaa5a9efc962bac691648c1059c99537a85f9bd65013bb2765ebcbd1fa97027c6f2069ae2e1cc901d4247c7f404c

Download Submit
C:\Users\Admin\bkhost.exe
Filesize
122KB

MD5
6adba45c3cd86e3e4179c2489adc3ed0

SHA1
c856828981816a028d9948d4e90e83779ba00cc6

SHA256
e1432e8564f1a32df65a2cb433d4968e2109fef1508ad150a89e7c31227d3de8

SHA512
13404f5c2a311bc87e96d550674c9a7c6fda0f7808db1b901747d4e7a2e4c76bea268e38a17d3206ae419144981a060d29f916f676e586cc4376ad81717de672

Download Submit
C:\Users\Admin\bxpTXK8W.exe
Filesize
184KB

MD5
2261c2411c6e581bf496a0be8d46c6d8

SHA1
79e709807dff36c8d9936db05c0adcce54a1a290

SHA256
20e4fb3c4086c725feafdd50d8c8e405b20f6a9b868422455ca0b9cd007eb418

SHA512
622f86d976e9c140b29a1b29c21ac26415acab2762bac6d429123cb73af002377a0ecc62afaea0ef06dea689ebb6e70a1c7251186a260eae279cc8587622cefd

Download Submit
C:\Users\Admin\ckhost.exe
Filesize
279KB

MD5
b4004c548fec0ae0f7264b509b95e4d8

SHA1
6142664dc2b3ce927fecb96fa18a1dbc5219ae8f

SHA256
3f4aae3b2ec5b1d842841e76a963f26b471ed15e9933c40d48469a48ed04ee56

SHA512
750223d1cf30812b4c9dba9f21893f2ce34b717c17da2befe47f13e8d623c5098f5133053cb1a909da5e4ebc07b68979e72fa8f36c26c6c191665b213e838d90

Download Submit
C:\Users\Admin\dkhost.exe
Filesize
240KB

MD5
0a67782f34b335fe42be835ad4542124

SHA1
c1838a364f27ed7b8a463edefeabf8d762d1f149

SHA256
4f1d17a99aaf1719a96778e06edb417de118672ad3b0193a3fd2706a8e6f699c

SHA512
4dd56baf20ad532e7c1933d83889c649ffe4069a23dde43486c32105c0df67ebc8f670cb54c13a902105d38f5efea06c3a7f6481aec49c4af1b40bc8cfa7b086

Download Submit
C:\Users\Admin\ekhost.exe
Filesize
32KB

MD5
49e105d54bf4201e39ef974f9e5c24dc

SHA1
70737f6e75e250cfa335f8ef10be4b934f6fa1af

SHA256
a7d86eb136f345db624f4ddc577b61a2bb54f24c6b83a1de66dbdc167f3bb119

SHA512
7b9c210b69535ffca2280bd54b88bb2644e39fb1db487fbf8d83ea420c6db7d05b2373bef172a07b3090139e29110c593b09151e39ff6358d1fc62c0e91783fe

Download Submit
C:\Users\Admin\puoivo.exe
Filesize
184KB

MD5
11b5e69b2ff2642f56329f92fdf9660f

SHA1
f3bae0c537ff97518a4f6f6d518739cbd26573e0

SHA256
7a0c67d60b6913995b0d5fa2a32633ac253729ee6c83bfa7eb7a088ddb65f265

SHA512
3ddd2c82919abf6438850f56bfbf22a9ce54a487a302e33e08074c3c69020a2233389a42194aeeb14b554dae7f39ce463bc04db6c4ae5ed9902fb50cb2b4fc7f

Download Submit
memory/408-50-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1884-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1884-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1884-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1884-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1884-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2104-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2812-1-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2812-7-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2812-93-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2812-90-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2812-12-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2812-70-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2812-0-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2812-6-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2812-8-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3504-48-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3504-43-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3504-44-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3504-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3504-46-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3504-45-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4624-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4936-73-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4936-75-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads