modiloader | 130ab1ecbdb265e14259736e10bef5e5dc03aaaa933f379432c484c0d7b0a832

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe
Size

501KB
MD5

e3413a0f105a236fbd09f087a28e00db
SHA1

39adcb0d09c5ea025f9d054af726677449fba83c
SHA256

130ab1ecbdb265e14259736e10bef5e5dc03aaaa933f379432c484c0d7b0a832
SHA512

191bb96ed02df7079c4f45a010e4f88e900d967059c649ab27097f3901a5683f602f628d6170f8a895a7434f533056dd5de444fd478e1bb5e1644d8a23a3fd8d
SSDEEP

12288:aan072eNdNOWEJ1db1J9/0JmcPcl9cBqNtTird:a20hwLdEclOBuTEd

Score

10^/10

modiloader bootkit defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 37 IoCs

resource	yara_rule
behavioral1/memory/2328-14-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2328-32-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2868-34-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2868-39-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-45-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2552-50-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2552-49-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2104-55-0x0000000004280000-0x000000000435E000-memory.dmp	modiloader_stage2
behavioral1/memory/2104-58-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1472-65-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1472-62-0x0000000004240000-0x000000000431E000-memory.dmp	modiloader_stage2
behavioral1/memory/2716-72-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1840-79-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/3048-82-0x0000000005820000-0x00000000058FE000-memory.dmp	modiloader_stage2
behavioral1/memory/3048-85-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2200-88-0x00000000057E0000-0x00000000058BE000-memory.dmp	modiloader_stage2
behavioral1/memory/2200-92-0x00000000057E0000-0x00000000058BE000-memory.dmp	modiloader_stage2
behavioral1/memory/2200-91-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2116-96-0x0000000005650000-0x000000000572E000-memory.dmp	modiloader_stage2
behavioral1/memory/2116-97-0x0000000005650000-0x000000000572E000-memory.dmp	modiloader_stage2
behavioral1/memory/2116-102-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1592-107-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/784-112-0x0000000003EF0000-0x0000000003FCE000-memory.dmp	modiloader_stage2
behavioral1/memory/784-115-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1572-120-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/900-126-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1904-131-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/3032-134-0x00000000042E0000-0x00000000043BE000-memory.dmp	modiloader_stage2
behavioral1/memory/3032-137-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2812-138-0x0000000004070000-0x000000000414E000-memory.dmp	modiloader_stage2
behavioral1/memory/2812-140-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2872-141-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2872-143-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1460-144-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/2532-147-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/1072-149-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2
behavioral1/memory/688-152-0x0000000000400000-0x00000000004DE000-memory.dmp	modiloader_stage2

Executes dropped EXE 23 IoCs

pid	Process
2868	vssms32.exe
2752	vssms32.exe
2552	vssms32.exe
2104	vssms32.exe
1472	vssms32.exe
2716	vssms32.exe
1840	vssms32.exe
3048	vssms32.exe
2200	vssms32.exe
2116	vssms32.exe
1592	vssms32.exe
784	vssms32.exe
1572	vssms32.exe
900	vssms32.exe
1904	vssms32.exe
3032	vssms32.exe
2812	vssms32.exe
2872	vssms32.exe
1460	vssms32.exe
2532	vssms32.exe
1072	vssms32.exe
688	vssms32.exe
2792	vssms32.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe

Loads dropped DLL 46 IoCs

pid	Process
2328	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe
2328	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe
2868	vssms32.exe
2868	vssms32.exe
2752	vssms32.exe
2752	vssms32.exe
2552	vssms32.exe
2552	vssms32.exe
2104	vssms32.exe
2104	vssms32.exe
1472	vssms32.exe
1472	vssms32.exe
2716	vssms32.exe
2716	vssms32.exe
1840	vssms32.exe
1840	vssms32.exe
3048	vssms32.exe
3048	vssms32.exe
2200	vssms32.exe
2200	vssms32.exe
2116	vssms32.exe
2116	vssms32.exe
1592	vssms32.exe
1592	vssms32.exe
784	vssms32.exe
784	vssms32.exe
1572	vssms32.exe
1572	vssms32.exe
900	vssms32.exe
900	vssms32.exe
1904	vssms32.exe
1904	vssms32.exe
3032	vssms32.exe
3032	vssms32.exe
2812	vssms32.exe
2812	vssms32.exe
2872	vssms32.exe
2872	vssms32.exe
1460	vssms32.exe
1460	vssms32.exe
2532	vssms32.exe
2532	vssms32.exe
1072	vssms32.exe
1072	vssms32.exe
688	vssms32.exe
688	vssms32.exe

Adds Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 24 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe
File opened for modification	\??\PhysicalDrive0	vssms32.exe

Drops file in System32 directory 46 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2868	2328	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2868	2328	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2868	2328	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2868	2328	e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe	31
PID 2868 wrote to memory of 2752	2868	vssms32.exe	32
PID 2868 wrote to memory of 2752	2868	vssms32.exe	32
PID 2868 wrote to memory of 2752	2868	vssms32.exe	32
PID 2868 wrote to memory of 2752	2868	vssms32.exe	32
PID 2752 wrote to memory of 2552	2752	vssms32.exe	33
PID 2752 wrote to memory of 2552	2752	vssms32.exe	33
PID 2752 wrote to memory of 2552	2752	vssms32.exe	33
PID 2752 wrote to memory of 2552	2752	vssms32.exe	33
PID 2552 wrote to memory of 2104	2552	vssms32.exe	34
PID 2552 wrote to memory of 2104	2552	vssms32.exe	34
PID 2552 wrote to memory of 2104	2552	vssms32.exe	34
PID 2552 wrote to memory of 2104	2552	vssms32.exe	34
PID 2104 wrote to memory of 1472	2104	vssms32.exe	35
PID 2104 wrote to memory of 1472	2104	vssms32.exe	35
PID 2104 wrote to memory of 1472	2104	vssms32.exe	35
PID 2104 wrote to memory of 1472	2104	vssms32.exe	35
PID 1472 wrote to memory of 2716	1472	vssms32.exe	36
PID 1472 wrote to memory of 2716	1472	vssms32.exe	36
PID 1472 wrote to memory of 2716	1472	vssms32.exe	36
PID 1472 wrote to memory of 2716	1472	vssms32.exe	36
PID 2716 wrote to memory of 1840	2716	vssms32.exe	37
PID 2716 wrote to memory of 1840	2716	vssms32.exe	37
PID 2716 wrote to memory of 1840	2716	vssms32.exe	37
PID 2716 wrote to memory of 1840	2716	vssms32.exe	37
PID 1840 wrote to memory of 3048	1840	vssms32.exe	38
PID 1840 wrote to memory of 3048	1840	vssms32.exe	38
PID 1840 wrote to memory of 3048	1840	vssms32.exe	38
PID 1840 wrote to memory of 3048	1840	vssms32.exe	38
PID 3048 wrote to memory of 2200	3048	vssms32.exe	39
PID 3048 wrote to memory of 2200	3048	vssms32.exe	39
PID 3048 wrote to memory of 2200	3048	vssms32.exe	39
PID 3048 wrote to memory of 2200	3048	vssms32.exe	39
PID 2200 wrote to memory of 2116	2200	vssms32.exe	40
PID 2200 wrote to memory of 2116	2200	vssms32.exe	40
PID 2200 wrote to memory of 2116	2200	vssms32.exe	40
PID 2200 wrote to memory of 2116	2200	vssms32.exe	40
PID 2116 wrote to memory of 1592	2116	vssms32.exe	41
PID 2116 wrote to memory of 1592	2116	vssms32.exe	41
PID 2116 wrote to memory of 1592	2116	vssms32.exe	41
PID 2116 wrote to memory of 1592	2116	vssms32.exe	41
PID 1592 wrote to memory of 784	1592	vssms32.exe	42
PID 1592 wrote to memory of 784	1592	vssms32.exe	42
PID 1592 wrote to memory of 784	1592	vssms32.exe	42
PID 1592 wrote to memory of 784	1592	vssms32.exe	42
PID 784 wrote to memory of 1572	784	vssms32.exe	43
PID 784 wrote to memory of 1572	784	vssms32.exe	43
PID 784 wrote to memory of 1572	784	vssms32.exe	43
PID 784 wrote to memory of 1572	784	vssms32.exe	43
PID 1572 wrote to memory of 900	1572	vssms32.exe	44
PID 1572 wrote to memory of 900	1572	vssms32.exe	44
PID 1572 wrote to memory of 900	1572	vssms32.exe	44
PID 1572 wrote to memory of 900	1572	vssms32.exe	44
PID 900 wrote to memory of 1904	900	vssms32.exe	45
PID 900 wrote to memory of 1904	900	vssms32.exe	45
PID 900 wrote to memory of 1904	900	vssms32.exe	45
PID 900 wrote to memory of 1904	900	vssms32.exe	45
PID 1904 wrote to memory of 3032	1904	vssms32.exe	46
PID 1904 wrote to memory of 3032	1904	vssms32.exe	46
PID 1904 wrote to memory of 3032	1904	vssms32.exe	46
PID 1904 wrote to memory of 3032	1904	vssms32.exe	46

C:\Users\Admin\AppData\Local\Temp\e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3413a0f105a236fbd09f087a28e00db_JaffaCakes118.exe"
1⤵
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\vssms32.exe
  "C:\Windows\system32\vssms32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\vssms32.exe
    "C:\Windows\system32\vssms32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\vssms32.exe
      "C:\Windows\system32\vssms32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
      - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vssms32.exe

Filesize
501KB

MD5
e3413a0f105a236fbd09f087a28e00db

SHA1
39adcb0d09c5ea025f9d054af726677449fba83c

SHA256
130ab1ecbdb265e14259736e10bef5e5dc03aaaa933f379432c484c0d7b0a832

SHA512
191bb96ed02df7079c4f45a010e4f88e900d967059c649ab27097f3901a5683f602f628d6170f8a895a7434f533056dd5de444fd478e1bb5e1644d8a23a3fd8d

Download Submit
memory/688-152-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/784-108-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/784-112-0x0000000003EF0000-0x0000000003FCE000-memory.dmp

Filesize
888KB

Download
memory/784-115-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/900-121-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/900-126-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1072-149-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1460-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1460-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1472-62-0x0000000004240000-0x000000000431E000-memory.dmp

Filesize
888KB

Download
memory/1472-65-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1572-113-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1572-120-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1592-100-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1592-107-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1840-76-0x0000000004490000-0x000000000456E000-memory.dmp

Filesize
888KB

Download
memory/1840-79-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1904-131-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2104-55-0x0000000004280000-0x000000000435E000-memory.dmp

Filesize
888KB

Download
memory/2104-51-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2104-54-0x0000000004280000-0x000000000435E000-memory.dmp

Filesize
888KB

Download
memory/2104-58-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2116-102-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2116-97-0x0000000005650000-0x000000000572E000-memory.dmp

Filesize
888KB

Download
memory/2116-96-0x0000000005650000-0x000000000572E000-memory.dmp

Filesize
888KB

Download
memory/2116-93-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2200-99-0x00000000057E0000-0x00000000058BE000-memory.dmp

Filesize
888KB

Download
memory/2200-88-0x00000000057E0000-0x00000000058BE000-memory.dmp

Filesize
888KB

Download
memory/2200-92-0x00000000057E0000-0x00000000058BE000-memory.dmp

Filesize
888KB

Download
memory/2200-91-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2328-6-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2328-9-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2328-12-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2328-11-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2328-7-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2328-10-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2328-13-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2328-14-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2328-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2328-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2328-0-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2328-1-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2328-15-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2328-5-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2328-26-0x00000000043A0000-0x000000000447E000-memory.dmp

Filesize
888KB

Download
memory/2328-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2328-32-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2328-25-0x00000000043A0000-0x000000000447E000-memory.dmp

Filesize
888KB

Download
memory/2328-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2328-28-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2532-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2532-147-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2552-49-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2552-43-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2552-50-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2716-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2716-69-0x0000000004000000-0x00000000040DE000-memory.dmp

Filesize
888KB

Download
memory/2716-66-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2752-45-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2792-150-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2812-138-0x0000000004070000-0x000000000414E000-memory.dmp

Filesize
888KB

Download
memory/2812-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2868-30-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2868-39-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2868-34-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2868-35-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2868-29-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2872-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2872-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3032-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3032-134-0x00000000042E0000-0x00000000043BE000-memory.dmp

Filesize
888KB

Download
memory/3048-85-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3048-82-0x0000000005820000-0x00000000058FE000-memory.dmp

Filesize
888KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads