Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
21-09-2024 16:39
General
-
Target
f035acc028258683beaf855d15749dd0_JaffaCakes118.exe
-
Size
297KB
-
MD5
f035acc028258683beaf855d15749dd0
-
SHA1
f3ed6d3276409e64c2c8667a9a7a56b07d1efb48
-
SHA256
f8d58e2fa1af08b76b8295f87428fb77126fb504c8b2269fc9cdb9899348aeb5
-
SHA512
c0831859b3f363ae3784e10ec8202ae7d94bedfa778dfe8eca900f707149c17ec4c789e1a848b05b3b86acbe174b2bb6af49437e16d148bec70bb35ac909c63a
-
SSDEEP
6144:xTx9Z4h3oSNcDW1m7Y3qPr5Qh0auUMnbBD96:TIr+aiVJagBDo
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 58 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f035acc028258683beaf855d15749dd0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f035acc028258683beaf855d15749dd0_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f035acc028258683beaf855d15749dd0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f035acc028258683beaf855d15749dd0_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:ZNrw0TO2="iJlg";Kk15=new%20ActiveXObject("WScript.Shell");x4kjXM0="diWi";Kr9ji=Kk15.RegRead("HKLM\\software\\Wow6432Node\\I2Qp1BGTBM\\9UNrd23a");s2Es0l="RhKyYfK5";eval(Kr9ji);ek1py="kQMjSZDk";1⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:zobzt2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
869B
MD5d3fad7debed143f4c1d5f96c1a657f38
SHA1d1522ce80ea6f2a8d59cb4dc098f1a911e86f9e5
SHA256732b3bad6b9a46c1204eade98b5a0558afbc0f7546e11fdb983dbc781e69aecc
SHA512a8ac8f4964d72da4d716013530786f1ae8d87659b28fd95f4a2c24e7bd76a5d5d2eed32e64556ac3ced8e376b1a89c28b0b6cba18d9fde9dae4a8798c22467bd
-
Filesize
58B
MD5776f7fa13532d4ca1e7708ec77ef87b0
SHA1c8507d968d89c91422ab346b2aa05d3ebaef8c04
SHA256ca4fd875f06dfe862482bff5bbf18ec04604fa8ac210852336609c60d89d9fa9
SHA51293e5a8866b07d061f46382eb5ae30aec53b8c2a489affb558ea1d43fd7061a0901320123bf06f938956a321c4e9373d81c944693da3f1dc316fe5acaf166659a
-
Filesize
34KB
MD5a24aca98bd9456dad2a1d0124bb4d443
SHA1b7678e16b90e24b6a24753b7cdaccbbe18d1df30
SHA256ea997bab9c000b60b9f8764add78bdc92965ec3d212cb2a390be935fc9a6c608
SHA5127793c45a4e28655013178d299abf293902c9594e25502c1eb6f4307590b84db380aa11470e3a442999b32f8528cd2c2bf9612397c032ca8575b247e85792d690
-
Filesize
1KB
MD527a2360d0a09cb5e2ba6d386e1df3643
SHA1f4b26a43e290b72bb4532e35a278a348b619d412
SHA256b8390bf76cedddfe5b608fe91978d0bb968b7fe7b01c4a447ab96ae642a832b4
SHA5128ff051d1f86acc4d6598950422e955dea1598da1e9e48274ed7e068c3f5f71d8930a46b547f52723052c6cf8ce5815bc47db2adbf473f0a467a37ae075e4ffd9
-
Filesize
985B
MD588e7164a339de2eb70ecadb78c5c9a6c
SHA16e986e177bb8dbdb86822b604269580e88aac1bf
SHA2564a41cbfca03c7b83ec91bee4c50b30b7eb9b133f229e25904b38fbcdfc9ef4aa
SHA512aef58f6a308f20b03d2ff0d02e9dc296c3a235e9545e107658d4076ea32af7748a500a77dd9c2a6c8898f1d9fd9199781ee565639f899ae4ea930c246bc85d11
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
856KB
-
Filesize
232KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
232KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
332KB
-
Filesize
856KB
-
Filesize
856KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB