modiloader | 36f923ef3c4c35c130ef407f24ba2c8fe522a721d038bedf4c1bfaf365c57931

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
Size

812KB
MD5

00512769a91021a9661bc83d6c246057
SHA1

4449e726a0c0835667b3396aec6bacb5c2d2fc78
SHA256

36f923ef3c4c35c130ef407f24ba2c8fe522a721d038bedf4c1bfaf365c57931
SHA512

06c0a37188f4d791c611b44291961043256756ca05de2e513420e706a066bd4fdea2ea132a500255e9e323d7186985155293a0f1548461ff1678e40f2aa663a5
SSDEEP

12288:4YknjLpbBNoLE126lU1tMGjYIFW4+zyZGumGgTtrDJrPsfL4oTO27uqULG1R:4Ykjlbr+8lUCpeZM3BDhPC5u/G

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bxpTXK8W.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	deaoha.exe

Modiloader family
modiloader

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral2/memory/1860-5-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2
behavioral2/memory/2676-6-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/2676-8-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/files/0x0007000000023c9e-35.dat	modiloader_stage2
behavioral2/memory/732-49-0x0000000000400000-0x0000000000416000-memory.dmp	modiloader_stage2
behavioral2/files/0x0007000000023ca0-51.dat	modiloader_stage2
behavioral2/memory/4840-57-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2
behavioral2/memory/2676-68-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/2676-90-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	bxpTXK8W.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe

Executes dropped EXE 9 IoCs

pid	Process
3192	bxpTXK8W.exe
732	akhost.exe
684	deaoha.exe
2212	akhost.exe
4840	bkhost.exe
4612	bkhost.exe
2984	ckhost.exe
2812	dkhost.exe
5064	ekhost.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /c"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /h"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /W"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /q"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /k"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /p"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /a"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /N"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /s"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /F"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /l"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /y"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /t"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /K"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /S"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /Q"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /P"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /g"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /Y"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /G"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /o"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /X"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /e"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /w"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /u"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /A"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /I"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /E"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /H"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /v"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /B"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /x"	bxpTXK8W.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /D"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /L"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /i"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /R"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /V"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /f"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /r"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /T"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /Z"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /d"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /x"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /J"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /O"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /m"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /C"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /j"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /n"	deaoha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deaoha = "C:\\Users\\Admin\\deaoha.exe /U"	deaoha.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	akhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	akhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bkhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	bkhost.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4436	tasklist.exe
4224	tasklist.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1860 set thread context of 2676	1860	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	83
PID 732 set thread context of 2212	732	akhost.exe	96
PID 4840 set thread context of 4612	4840	bkhost.exe	98
PID 2812 set thread context of 4588	2812	dkhost.exe	111

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2676-0-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/2676-2-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/2676-6-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/2676-8-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/2676-4-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/4612-53-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4612-54-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4612-59-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4612-60-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2676-68-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/4612-71-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2676-90-0x0000000000400000-0x0000000000516000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2684	2984	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deaoha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bkhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	akhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxpTXK8W.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dkhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3192	bxpTXK8W.exe
3192	bxpTXK8W.exe
3192	bxpTXK8W.exe
3192	bxpTXK8W.exe
2212	akhost.exe
2212	akhost.exe
2212	akhost.exe
2212	akhost.exe
2212	akhost.exe
2212	akhost.exe
684	deaoha.exe
684	deaoha.exe
4612	bkhost.exe
4612	bkhost.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
2212	akhost.exe
2212	akhost.exe
2212	akhost.exe
2212	akhost.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
2212	akhost.exe
2212	akhost.exe
2212	akhost.exe
2212	akhost.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe
684	deaoha.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	tasklist.exe
Token: SeDebugPrivilege	2812	dkhost.exe
Token: SeDebugPrivilege	4224	tasklist.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
3192	bxpTXK8W.exe
684	deaoha.exe
5064	ekhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2676	1860	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	83
PID 1860 wrote to memory of 2676	1860	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	83
PID 1860 wrote to memory of 2676	1860	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	83
PID 1860 wrote to memory of 2676	1860	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	83
PID 1860 wrote to memory of 2676	1860	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	83
PID 1860 wrote to memory of 2676	1860	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	83
PID 1860 wrote to memory of 2676	1860	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	83
PID 1860 wrote to memory of 2676	1860	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	83
PID 2676 wrote to memory of 3192	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	84
PID 2676 wrote to memory of 3192	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	84
PID 2676 wrote to memory of 3192	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	84
PID 2676 wrote to memory of 732	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	91
PID 2676 wrote to memory of 732	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	91
PID 2676 wrote to memory of 732	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	91
PID 3192 wrote to memory of 684	3192	bxpTXK8W.exe	92
PID 3192 wrote to memory of 684	3192	bxpTXK8W.exe	92
PID 3192 wrote to memory of 684	3192	bxpTXK8W.exe	92
PID 3192 wrote to memory of 4852	3192	bxpTXK8W.exe	93
PID 3192 wrote to memory of 4852	3192	bxpTXK8W.exe	93
PID 3192 wrote to memory of 4852	3192	bxpTXK8W.exe	93
PID 4852 wrote to memory of 4436	4852	cmd.exe	95
PID 4852 wrote to memory of 4436	4852	cmd.exe	95
PID 4852 wrote to memory of 4436	4852	cmd.exe	95
PID 732 wrote to memory of 2212	732	akhost.exe	96
PID 732 wrote to memory of 2212	732	akhost.exe	96
PID 732 wrote to memory of 2212	732	akhost.exe	96
PID 732 wrote to memory of 2212	732	akhost.exe	96
PID 732 wrote to memory of 2212	732	akhost.exe	96
PID 732 wrote to memory of 2212	732	akhost.exe	96
PID 732 wrote to memory of 2212	732	akhost.exe	96
PID 732 wrote to memory of 2212	732	akhost.exe	96
PID 732 wrote to memory of 2212	732	akhost.exe	96
PID 2676 wrote to memory of 4840	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	97
PID 2676 wrote to memory of 4840	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	97
PID 2676 wrote to memory of 4840	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	97
PID 4840 wrote to memory of 4612	4840	bkhost.exe	98
PID 4840 wrote to memory of 4612	4840	bkhost.exe	98
PID 4840 wrote to memory of 4612	4840	bkhost.exe	98
PID 4840 wrote to memory of 4612	4840	bkhost.exe	98
PID 4840 wrote to memory of 4612	4840	bkhost.exe	98
PID 4840 wrote to memory of 4612	4840	bkhost.exe	98
PID 4840 wrote to memory of 4612	4840	bkhost.exe	98
PID 4840 wrote to memory of 4612	4840	bkhost.exe	98
PID 2676 wrote to memory of 2984	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	99
PID 2676 wrote to memory of 2984	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	99
PID 2676 wrote to memory of 2984	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	99
PID 2676 wrote to memory of 2812	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	106
PID 2676 wrote to memory of 2812	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	106
PID 2676 wrote to memory of 2812	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	106
PID 2812 wrote to memory of 4588	2812	dkhost.exe	111
PID 2812 wrote to memory of 4588	2812	dkhost.exe	111
PID 2812 wrote to memory of 4588	2812	dkhost.exe	111
PID 2812 wrote to memory of 4588	2812	dkhost.exe	111
PID 2676 wrote to memory of 5064	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	113
PID 2676 wrote to memory of 5064	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	113
PID 2676 wrote to memory of 5064	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	113
PID 2676 wrote to memory of 2892	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	117
PID 2676 wrote to memory of 2892	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	117
PID 2676 wrote to memory of 2892	2676	JaffaCakes118_00512769a91021a9661bc83d6c246057.exe	117
PID 2892 wrote to memory of 4224	2892	cmd.exe	119
PID 2892 wrote to memory of 4224	2892	cmd.exe	119
PID 2892 wrote to memory of 4224	2892	cmd.exe	119
PID 684 wrote to memory of 4224	684	deaoha.exe	119
PID 684 wrote to memory of 4224	684	deaoha.exe	119

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00512769a91021a9661bc83d6c246057.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
  JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\bxpTXK8W.exe
    C:\Users\Admin\bxpTXK8W.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Users\Admin\deaoha.exe
      "C:\Users\Admin\deaoha.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del bxpTXK8W.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
- - C:\Users\Admin\akhost.exe
    C:\Users\Admin\akhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Users\Admin\akhost.exe
      akhost.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:2212
- - C:\Users\Admin\bkhost.exe
    C:\Users\Admin\bkhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Admin\bkhost.exe
      bkhost.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:4612
- - C:\Users\Admin\ckhost.exe
    C:\Users\Admin\ckhost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 396
      4⤵
      Program crash
      PID:2684
- - C:\Users\Admin\dkhost.exe
    C:\Users\Admin\dkhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:4588
- - C:\Users\Admin\ekhost.exe
    C:\Users\Admin\ekhost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_00512769a91021a9661bc83d6c246057.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2984 -ip 2984
1⤵
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\akhost.exe

Filesize
229KB

MD5
2c895814249b3630f5ef87aef065a6d2

SHA1
785a02f3a3c958fb2f3fa7ce26860b65da34939d

SHA256
cc6377f8d451bd5ceb97d95409b74c9589f86edd47fead3db05e3a3dbfc6204a

SHA512
14e786deb9917c57dbdb6468a5b6b05ef0aacaa5a9efc962bac691648c1059c99537a85f9bd65013bb2765ebcbd1fa97027c6f2069ae2e1cc901d4247c7f404c

Download Submit
C:\Users\Admin\bkhost.exe

Filesize
122KB

MD5
6adba45c3cd86e3e4179c2489adc3ed0

SHA1
c856828981816a028d9948d4e90e83779ba00cc6

SHA256
e1432e8564f1a32df65a2cb433d4968e2109fef1508ad150a89e7c31227d3de8

SHA512
13404f5c2a311bc87e96d550674c9a7c6fda0f7808db1b901747d4e7a2e4c76bea268e38a17d3206ae419144981a060d29f916f676e586cc4376ad81717de672

Download Submit
C:\Users\Admin\bxpTXK8W.exe

Filesize
184KB

MD5
2261c2411c6e581bf496a0be8d46c6d8

SHA1
79e709807dff36c8d9936db05c0adcce54a1a290

SHA256
20e4fb3c4086c725feafdd50d8c8e405b20f6a9b868422455ca0b9cd007eb418

SHA512
622f86d976e9c140b29a1b29c21ac26415acab2762bac6d429123cb73af002377a0ecc62afaea0ef06dea689ebb6e70a1c7251186a260eae279cc8587622cefd

Download Submit
C:\Users\Admin\ckhost.exe

Filesize
279KB

MD5
b4004c548fec0ae0f7264b509b95e4d8

SHA1
6142664dc2b3ce927fecb96fa18a1dbc5219ae8f

SHA256
3f4aae3b2ec5b1d842841e76a963f26b471ed15e9933c40d48469a48ed04ee56

SHA512
750223d1cf30812b4c9dba9f21893f2ce34b717c17da2befe47f13e8d623c5098f5133053cb1a909da5e4ebc07b68979e72fa8f36c26c6c191665b213e838d90

Download Submit
C:\Users\Admin\deaoha.exe

Filesize
184KB

MD5
92fe4f959907d35d81ea32246cf48e60

SHA1
7b941d09eaa2fae3ad5f1c1c0e3a97b056b8cafa

SHA256
1f09fcc087f53c208d4c617db5e620f56d840cbcb6985fffb8c5a3445cab563d

SHA512
f9835337d8fab01e3dca7ccc425cf3b390d14470633d95d7093f42e4f24b0e3bf3ef303d164aec5192918dd769e77c4eb543f07e03f4ab07cde6c91b59067a2b

Download Submit
C:\Users\Admin\dkhost.exe

Filesize
240KB

MD5
0a67782f34b335fe42be835ad4542124

SHA1
c1838a364f27ed7b8a463edefeabf8d762d1f149

SHA256
4f1d17a99aaf1719a96778e06edb417de118672ad3b0193a3fd2706a8e6f699c

SHA512
4dd56baf20ad532e7c1933d83889c649ffe4069a23dde43486c32105c0df67ebc8f670cb54c13a902105d38f5efea06c3a7f6481aec49c4af1b40bc8cfa7b086

Download Submit
C:\Users\Admin\ekhost.exe

Filesize
32KB

MD5
49e105d54bf4201e39ef974f9e5c24dc

SHA1
70737f6e75e250cfa335f8ef10be4b934f6fa1af

SHA256
a7d86eb136f345db624f4ddc577b61a2bb54f24c6b83a1de66dbdc167f3bb119

SHA512
7b9c210b69535ffca2280bd54b88bb2644e39fb1db487fbf8d83ea420c6db7d05b2373bef172a07b3090139e29110c593b09151e39ff6358d1fc62c0e91783fe

Download Submit
memory/732-49-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1860-5-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2212-70-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2212-43-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2212-45-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2212-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2212-44-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2212-42-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2676-68-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2676-0-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2676-90-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2676-8-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2676-2-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2676-6-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2676-4-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2812-74-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2812-72-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4612-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4612-71-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4612-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4612-53-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4612-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4840-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download