modiloader | 8f77ef7c38ba8d72c7f1fc411801c7b7c5b42d7a0f7c877db8624f8e8113eb39

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Size

776KB
MD5

fbdbb31466b09f812976925578b1e053
SHA1

e7a204ec8cff2ca0e430656dcec8d1819b8b0618
SHA256

8f77ef7c38ba8d72c7f1fc411801c7b7c5b42d7a0f7c877db8624f8e8113eb39
SHA512

831a36ac984ede03b3b6e9d482b179ce9f49f67b5258bd4e809f0f96a82eb962cf1e2d096ed0cf7ff72005246c6b6040c506e152cb4b178b4d2b29052bc5f2ba
SSDEEP

12288:ywtYgRM3k33tUwRyz52ccrFa0vhPROrliSajsBB0u0b/bnwgc:rtYgRIk33NRyF2hrdvjOr70zbwgc

Score

10^/10

modiloader defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/memory/2208-28-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-23-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-40-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral1/memory/2968-65-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2
behavioral1/memory/2968-69-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2

Executes dropped EXE 46 IoCs

pid	Process
2904	vssms32.exe
2968	vssms32.exe
1716	vssms32.exe
980	vssms32.exe
2604	vssms32.exe
2980	vssms32.exe
2264	vssms32.exe
2068	vssms32.exe
1184	vssms32.exe
2272	vssms32.exe
236	vssms32.exe
1564	vssms32.exe
2064	vssms32.exe
1616	vssms32.exe
2120	vssms32.exe
2572	vssms32.exe
2748	vssms32.exe
2744	vssms32.exe
1028	vssms32.exe
2112	vssms32.exe
1992	vssms32.exe
2840	vssms32.exe
1436	vssms32.exe
2180	vssms32.exe
1000	vssms32.exe
2148	vssms32.exe
1712	vssms32.exe
916	vssms32.exe
616	vssms32.exe
284	vssms32.exe
2316	vssms32.exe
1548	vssms32.exe
2920	vssms32.exe
2768	vssms32.exe
2664	vssms32.exe
2304	vssms32.exe
2972	vssms32.exe
1756	vssms32.exe
2952	vssms32.exe
2856	vssms32.exe
2420	vssms32.exe
1328	vssms32.exe
1868	vssms32.exe
1532	vssms32.exe
1376	vssms32.exe
1552	vssms32.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe

Loads dropped DLL 47 IoCs

pid	Process
2208	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
2208	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
2904	vssms32.exe
2968	vssms32.exe
2968	vssms32.exe
980	vssms32.exe
980	vssms32.exe
2980	vssms32.exe
2980	vssms32.exe
2068	vssms32.exe
2068	vssms32.exe
2272	vssms32.exe
2272	vssms32.exe
1564	vssms32.exe
1564	vssms32.exe
1616	vssms32.exe
1616	vssms32.exe
2572	vssms32.exe
2572	vssms32.exe
2744	vssms32.exe
2744	vssms32.exe
2112	vssms32.exe
2112	vssms32.exe
2840	vssms32.exe
2840	vssms32.exe
2180	vssms32.exe
2180	vssms32.exe
2148	vssms32.exe
2148	vssms32.exe
916	vssms32.exe
916	vssms32.exe
284	vssms32.exe
284	vssms32.exe
1548	vssms32.exe
1548	vssms32.exe
2768	vssms32.exe
2768	vssms32.exe
2304	vssms32.exe
2304	vssms32.exe
1756	vssms32.exe
1756	vssms32.exe
2856	vssms32.exe
2856	vssms32.exe
1328	vssms32.exe
1328	vssms32.exe
1532	vssms32.exe
1532	vssms32.exe

Adds Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssms32 = "C:\\Windows\\system32\\vssms32.exe"	vssms32.exe

Drops file in System32 directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File created	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe
File opened for modification	C:\Windows\SysWOW64\vssms32.exe	vssms32.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2904 set thread context of 2968	2904	vssms32.exe	33
PID 1716 set thread context of 980	1716	vssms32.exe	35
PID 2604 set thread context of 2980	2604	vssms32.exe	37
PID 2264 set thread context of 2068	2264	vssms32.exe	39
PID 1184 set thread context of 2272	1184	vssms32.exe	41
PID 236 set thread context of 1564	236	vssms32.exe	43
PID 2064 set thread context of 1616	2064	vssms32.exe	45
PID 2120 set thread context of 2572	2120	vssms32.exe	47
PID 2748 set thread context of 2744	2748	vssms32.exe	49
PID 1028 set thread context of 2112	1028	vssms32.exe	51
PID 1992 set thread context of 2840	1992	vssms32.exe	53
PID 1436 set thread context of 2180	1436	vssms32.exe	55
PID 1000 set thread context of 2148	1000	vssms32.exe	57
PID 1712 set thread context of 916	1712	vssms32.exe	59
PID 616 set thread context of 284	616	vssms32.exe	61
PID 2316 set thread context of 1548	2316	vssms32.exe	63
PID 2920 set thread context of 2768	2920	vssms32.exe	65
PID 2664 set thread context of 2304	2664	vssms32.exe	67
PID 2972 set thread context of 1756	2972	vssms32.exe	69
PID 2952 set thread context of 2856	2952	vssms32.exe	71
PID 2420 set thread context of 1328	2420	vssms32.exe	73
PID 1868 set thread context of 1532	1868	vssms32.exe	75
PID 1376 set thread context of 1552	1376	vssms32.exe	77

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssms32.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
2904	vssms32.exe
1716	vssms32.exe
2604	vssms32.exe
2264	vssms32.exe
1184	vssms32.exe
236	vssms32.exe
2064	vssms32.exe
2120	vssms32.exe
2748	vssms32.exe
1028	vssms32.exe
1992	vssms32.exe
1436	vssms32.exe
1000	vssms32.exe
1712	vssms32.exe
616	vssms32.exe
2316	vssms32.exe
2920	vssms32.exe
2664	vssms32.exe
2972	vssms32.exe
2952	vssms32.exe
2420	vssms32.exe
1868	vssms32.exe
1376	vssms32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2208	2440	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2904	2208	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2904	2208	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2904	2208	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2904	2208	fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe	32
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2904 wrote to memory of 2968	2904	vssms32.exe	33
PID 2968 wrote to memory of 1716	2968	vssms32.exe	34
PID 2968 wrote to memory of 1716	2968	vssms32.exe	34
PID 2968 wrote to memory of 1716	2968	vssms32.exe	34
PID 2968 wrote to memory of 1716	2968	vssms32.exe	34
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 1716 wrote to memory of 980	1716	vssms32.exe	35
PID 980 wrote to memory of 2604	980	vssms32.exe	36
PID 980 wrote to memory of 2604	980	vssms32.exe	36
PID 980 wrote to memory of 2604	980	vssms32.exe	36
PID 980 wrote to memory of 2604	980	vssms32.exe	36
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2604 wrote to memory of 2980	2604	vssms32.exe	37
PID 2980 wrote to memory of 2264	2980	vssms32.exe	38
PID 2980 wrote to memory of 2264	2980	vssms32.exe	38
PID 2980 wrote to memory of 2264	2980	vssms32.exe	38
PID 2980 wrote to memory of 2264	2980	vssms32.exe	38

C:\Users\Admin\AppData\Local\Temp\fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fbdbb31466b09f812976925578b1e053_JaffaCakes118.exe
  2⤵
  - Impair Defenses: Safe Mode Boot
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\vssms32.exe
    "C:\Windows\system32\vssms32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\vssms32.exe
      C:\Windows\SysWOW64\vssms32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:236
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:616
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:284
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\vssms32.exe
        
        "C:\Windows\system32\vssms32.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\vssms32.exe
        
        C:\Windows\SysWOW64\vssms32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\vssms32.exe

Filesize
776KB

MD5
fbdbb31466b09f812976925578b1e053

SHA1
e7a204ec8cff2ca0e430656dcec8d1819b8b0618

SHA256
8f77ef7c38ba8d72c7f1fc411801c7b7c5b42d7a0f7c877db8624f8e8113eb39

SHA512
831a36ac984ede03b3b6e9d482b179ce9f49f67b5258bd4e809f0f96a82eb962cf1e2d096ed0cf7ff72005246c6b6040c506e152cb4b178b4d2b29052bc5f2ba

Download Submit
memory/2208-9-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2208-28-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2208-17-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2208-13-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2208-2-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2208-4-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2208-23-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2208-29-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2208-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2208-40-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2208-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2968-65-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2968-69-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads