modiloader | eedf06877f8747be097cd1aad9530501d93a8f7ba39b24ffdf91e1846324ad98

Analysis

max time kernel
145s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe
Size

854KB
MD5

8fe1972a8ab4e35c4e22c8ba51027d1e
SHA1

1019755801ba2c54c9265c3aa76bcc84333e50b9
SHA256

eedf06877f8747be097cd1aad9530501d93a8f7ba39b24ffdf91e1846324ad98
SHA512

94897cb5af89dca6e0edb7fa6395bbc6973c1e93548d45975a59aaaf487c72efefeb344ec3f4e46e37d0a91e01f3d58ff3bcbadf3b20e4ca4c5e0ca8e8630586
SSDEEP

24576:d7oO9NM/eTUpPriI/YmF3XLOiZKn+ETG5aX:t19WWTUp3YmF3XtZjKGY

Score

10^/10

modiloader aspackv2 discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1972-22-0x0000000000400000-0x00000000004DD000-memory.dmp	modiloader_stage2

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral1/files/0x0009000000016d47-34.dat	acprotect
behavioral1/files/0x0007000000016d69-61.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016d36-23.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

syscopt.exebritsl8ides.exeWindows:devldr23.exe

pid	Process
2156	syscopt.exe
1740	britsl8ides.exe
2776	Windows:devldr23.exe

Loads dropped DLL 8 IoCs

Processes:

8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exesyscopt.exeregsvr32.exeWindows:devldr23.exe

pid	Process
1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe
1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe
1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe
1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe
2156	syscopt.exe
2620	regsvr32.exe
2156	syscopt.exe
2776	Windows:devldr23.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows:devldr23.exe

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Windows:devldr23.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run	Windows:devldr23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SD_service = "C:\\Windows:devldr23.exe"	Windows:devldr23.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\SD_service = "C:\\Windows:devldr23.exe"	Windows:devldr23.exe

Drops file in System32 directory 9 IoCs

Processes:

8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exesyscopt.exeWindows:devldr23.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\syscopt.exe	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zlib.dll	syscopt.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	syscopt.exe
File opened for modification	C:\Windows\SysWOW64\jpg.dll	Windows:devldr23.exe
File created	C:\Windows\SysWOW64\britsl8ides.exe	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\syscopt.exe	syscopt.exe
File opened for modification	C:\Windows\SysWOW64\jpg.dll	syscopt.exe
File opened for modification	C:\Windows\SysWOW64\zlib.dll	Windows:devldr23.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	Windows:devldr23.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x00090000000120ce-2.dat	upx
behavioral1/memory/2156-11-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/files/0x0009000000016d47-34.dat	upx
behavioral1/memory/2156-36-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/2776-55-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2156-58-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-64-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-66-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-68-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-70-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-72-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-74-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-76-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-78-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-80-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-82-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-84-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-86-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-88-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-90-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2776-92-0x0000000000400000-0x0000000000461000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exesyscopt.exebritsl8ides.exeregsvr32.exeWindows:devldr23.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syscopt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	britsl8ides.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows:devldr23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe

NTFS ADS 3 IoCs

Processes:

syscopt.exeWindows:devldr23.exe

description	ioc	Process
File opened for modification	C:\Windows:devldr23.exe	syscopt.exe
File created	C:\Windows:devldr23.exe	syscopt.exe
File opened for modification	C:\Windows:devldr23.exe	Windows:devldr23.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

syscopt.exeWindows:devldr23.exe

pid	Process
2156	syscopt.exe
2156	syscopt.exe
2156	syscopt.exe
2156	syscopt.exe
2156	syscopt.exe
2776	Windows:devldr23.exe
2776	Windows:devldr23.exe
2776	Windows:devldr23.exe
2776	Windows:devldr23.exe
2776	Windows:devldr23.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

syscopt.exeWindows:devldr23.exe

pid	Process
2156	syscopt.exe
2776	Windows:devldr23.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exesyscopt.exe

description	pid	Process	procid_target
PID 1972 wrote to memory of 2156	1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2156	1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2156	1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2156	1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1740	1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe	31
PID 1972 wrote to memory of 1740	1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe	31
PID 1972 wrote to memory of 1740	1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe	31
PID 1972 wrote to memory of 1740	1972	8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2620	2156	syscopt.exe	33
PID 2156 wrote to memory of 2620	2156	syscopt.exe	33
PID 2156 wrote to memory of 2620	2156	syscopt.exe	33
PID 2156 wrote to memory of 2620	2156	syscopt.exe	33
PID 2156 wrote to memory of 2620	2156	syscopt.exe	33
PID 2156 wrote to memory of 2620	2156	syscopt.exe	33
PID 2156 wrote to memory of 2620	2156	syscopt.exe	33
PID 2156 wrote to memory of 2652	2156	syscopt.exe	34
PID 2156 wrote to memory of 2652	2156	syscopt.exe	34
PID 2156 wrote to memory of 2652	2156	syscopt.exe	34
PID 2156 wrote to memory of 2652	2156	syscopt.exe	34
PID 2156 wrote to memory of 2776	2156	syscopt.exe	35
PID 2156 wrote to memory of 2776	2156	syscopt.exe	35
PID 2156 wrote to memory of 2776	2156	syscopt.exe	35
PID 2156 wrote to memory of 2776	2156	syscopt.exe	35

C:\Users\Admin\AppData\Local\Temp\8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8fe1972a8ab4e35c4e22c8ba51027d1e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\syscopt.exe
  "C:\Windows\System32\syscopt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\system32\mswinsck.ocx"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Roaming\1.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
- - C:\Windows:devldr23.exe
    C:\Windows:devldr23.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2776
- C:\Windows\SysWOW64\britsl8ides.exe
  "C:\Windows\System32\britsl8ides.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1.bat

Filesize
103B

MD5
bbfee53b377c2f0778ed7cad1d84b0f2

SHA1
4e5b842215e95be2af761d944d11b956dc033189

SHA256
d4386e84a00a711cea9e6fbe258612ea06e768941dbacd38966d9795358e6792

SHA512
a219f1168556278dc12207c5f61c8815f5c2d6c3278673005bbc964507132a587502a47c97196d441c3822b485eb6cd06315e2038e8d05f56833ee454a06a07b

Download Submit
C:\Windows

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\britsl8ides.exe

Filesize
615KB

MD5
12f6a5f14f986001c46ba1444d49f909

SHA1
b29defe13ea18ff4f3119b8d70ddcb8e339a8da5

SHA256
0ea8be70067b7c47e829e5d7484c52baa7d28b0ff45f2009bbc054a819fa916c

SHA512
fe2822ba4efa17c7a1e3ee64027c6310ca4a396186aa3ce8f0d420966a8da25fe9588e431bf7503a30e32a0bb15c08f31ef873e2a347e8e625b422419dc9b044

Download Submit
C:\Windows\SysWOW64\jpg.dll

Filesize
51KB

MD5
4eda362e326609a0a80e2736b67607ab

SHA1
64aa572d16f7cd6e6bd2296f2c96ad1604c713d1

SHA256
061e9f721af9a538dcfd96d13cb3deef1479b5785f566818c34c3faa585d650a

SHA512
f23f6a5c362808aef98516dcf12e3eeefd8498c812c27f96820d7d086694641cb4eefc7970b4750a0e4a5a0be1f90ac8981fc2f028e7085d50bd44bd4880c51d

Download Submit
C:\Windows\SysWOW64\mswinsck.ocx

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\syscopt.exe

Filesize
200KB

MD5
84e8f6bc491ee2039ce911609fb2dcf5

SHA1
c91317db79d1e26f98b4f3f237098fac1d8223ba

SHA256
3a3d9f280e89e375b2e2f28c80c20b87cd8827c330c6facb03991ef3f086927e

SHA512
04233c9cf3cabfa9a2b1751f22182df1e8b75e16853d83e0fd6278bb4b697c6d0f6fcf1f3cd8b31caead0b2af768affb1b8c480192a0dc642fd500bd07801f3f

Download Submit
\Windows\SysWOW64\zlib.dll

Filesize
27KB

MD5
200d52d81e9b4b05fa58ce5fbe511dba

SHA1
c0d809ee93816d87388ed4e7fd6fca93d70294d2

SHA256
d4fe89dc2e7775f4ef0dfc70ed6999b8f09635326e05e08a274d464d1814c617

SHA512
7b1df70d76855d65cf246051e7b9f7119720a695d41ace1eb00e45e93e6de80d083b953269166bdee7137dbd9f3e5681e36bb036f151cea383c10d82957f39c5

Download Submit
memory/1740-69-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-71-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-24-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1740-79-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-75-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-81-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-73-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-83-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-63-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1740-91-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-65-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-89-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-67-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-87-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-77-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1740-85-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1972-10-0x0000000002AD0000-0x0000000002B31000-memory.dmp

Filesize
388KB

Download
memory/1972-22-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2156-36-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2156-58-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2156-54-0x00000000026D0000-0x0000000002731000-memory.dmp

Filesize
388KB

Download
memory/2156-11-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-55-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-78-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-76-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-80-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-74-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-82-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-84-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-72-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-86-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-70-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-68-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-88-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-66-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-90-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-64-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-92-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download