Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
28-06-2024 02:04
General
-
Target
18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe
-
Size
875KB
-
MD5
18669652b47dc9bbacea0b790bc47e1c
-
SHA1
6b852f8c039052bfd7f5c94b486c4e7c040a8077
-
SHA256
76081536605f54e193127ce89901ec20dcb94782cc4c28a8c2cfb58521b23bf4
-
SHA512
d1023c4c071240b1ca01da705eeb83f7b4bd17adfa658982326cc293ee80f1a088b5c1adab7fbce4f24ce5189443e3901df98c786abd7cf2f0427ecc278f60ec
-
SSDEEP
24576:B5T0kUJQCdHVFQlyOW8oooiAhYJWtA7q:B53UVHVFQAp5iAOgtAG
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
ModiLoader Second Stage 9 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 19 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 15 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 54 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
C:\Users\Admin\AppData\Local\Temp\18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Ww9OoYLk.exeC:\Users\Admin\Ww9OoYLk.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\meaje.exe"C:\Users\Admin\meaje.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del Ww9OoYLk.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\athost.exeC:\Users\Admin\athost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\athost.exeathost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\bthost.exeC:\Users\Admin\bthost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\bthost.exebthost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe startC:\Users\Admin\AppData\Roaming\E6BC3\057C4.exe%C:\Users\Admin\AppData\Roaming\E6BC34⤵
- Executes dropped EXE
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe startC:\Program Files (x86)\C385C\lvvm.exe%C:\Program Files (x86)\C385C4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LP\C4CE\99CF.tmp"C:\Program Files (x86)\LP\C4CE\99CF.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\dthost.exeC:\Users\Admin\dthost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
-
C:\Users\Admin\ethost.exeC:\Users\Admin\ethost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 18669652b47dc9bbacea0b790bc47e1c_JaffaCakes118.exe3⤵
- Deletes itself
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Loads dropped DLL
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\E6BC3\385C.6BCFilesize
600B
MD563abf1ebd2e33970e193fef3954ba00f
SHA11ad0c10ee2dfd881ff906e260d86269e90a59920
SHA25604bb2caaa4d284aca297f46b02325ffbdb16c705bab4a00551b9f67420288a14
SHA512c0a0ac7480eeb0cb8fbd526c71e62936a29c591a5fb50b81a29d38961dac8eb9dd0d7668c1ae8ecef13ec4944b6bff2e68d12aaf9e7fd78b4f678d479660b2ca
-
C:\Users\Admin\AppData\Roaming\E6BC3\385C.6BCFilesize
996B
MD5b7dd79ebce19baea1cd5a56f0c43e276
SHA1c99646384c64768ae0eec19590c88613ea5f5fc0
SHA256cb16fd7b894a7b5f4dd10f6766e11b3dde9fdf149f74bc5cf179fbb7f0c6a07c
SHA51247c1b08090ad1d74f6f47b62fd76a2dfde351e1fbe5db6d5938d8f4491ef411ae70ca0e308be04808f17b7ebb6c1e1e68ed677e89a4fcdc62a6bf60b9ed2cdb0
-
C:\Users\Admin\AppData\Roaming\E6BC3\385C.6BCFilesize
1KB
MD5ec802eb95a623352b878c28f6eafb9aa
SHA11bb28bad5f0a3c193a1267ab8143541708a02e7d
SHA256b086dfdea24cff4fbc19231aea0ce238e578a754d17d84153a0e41d4c7172a16
SHA512a7aa7b614e0dff67760618bf96cb05c12fddce0a87b4f45263b0859d7fcd04b8b15afd9ca8c7f465db587b51dad21f82444e02b22513f75e75e35066c33fe7fd
-
\??\globalroot\systemroot\assembly\temp\@Filesize
2KB
MD5c16dc29d91b5b1c157c7d2c4345026c7
SHA1c3f452539e22f5dd277e293cfd0bd7dbac353cc0
SHA256849d13f1c9cfb30832d3e449ede1203d3cca347669e15b8d084324ec1054424f
SHA512f864d20ee5cd8acd1d0e6a89f3e36ef9b1b645f93f36036686a4815b78d2a65f08afe8cee18a4161c3a9717b041a48f949af1cc0110b64703db76c43558a2705
-
\Program Files (x86)\LP\C4CE\99CF.tmpFilesize
95KB
MD5a1d80ed250788260ffd66258555a4876
SHA110b81c2cdc4a7d645f9058c220587fac79281351
SHA256d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3
SHA512fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8
-
\Users\Admin\Ww9OoYLk.exeFilesize
256KB
MD577e425fe955cbc4b6245cf8a3ed645b3
SHA1921dad95a28283f2138e8c36d4cbf295572d33ac
SHA25686b35dd61f186218356ecced37723e647b612cb8c44ef904917f4c783e424809
SHA512ee0a6ac25c021baf6974a23afd999bcdd519da465ee849ebd52d99ff437812165650fe8f05e5ff72f6eadf8d5a44d5c7c73853e4d5e00f8fbab45444fd56a44b
-
\Users\Admin\athost.exeFilesize
263KB
MD56b7d559166467ef651497836feef65e3
SHA19edda6cd07a1960ba52abe17fc7402ff93d44ce6
SHA2566151ab998d7821e147551b5ff24b11d3194c207c3ff8322fe2e2860a8b978bb0
SHA512d58ddfe8ce3b9f4092d554713502065c351a46251ff0ce126dd05528771cd727bf636f15a4c76224d8db22117234d39b1a2bf8030b55aadcf98087a5a1814356
-
\Users\Admin\bthost.exeFilesize
153KB
MD5f28e94ce33674d8cf13f31bb5f20f745
SHA1e79332b18af7b31caa195956c23303d35c2808c8
SHA25642f40ac82f47f4eb009dbd11d7233ed2e67f80392dd4fa770faa68dd973ded2f
SHA5128bcb1311302bbf1b6cfbbb863cffa95d5934c9bfc613cd2dc2abd425fe39ad2ec9cae7dca1e5b60d2acec4c9d422a35aeb5ab7b0433f25c01202ab3b4ca96112
-
\Users\Admin\cthost.exeFilesize
278KB
MD5d0bf4ea3b6fc02afd2c6ed5f4b0d142e
SHA12187968df184c18f945497dd410f90f4b6ff186d
SHA2563c7ee6117b9c2e39593f452e163f16334ab1b9196b5b5616c9ff7496bb4676a0
SHA512e0efb8672a81a8aa6c11a0f1f871033b10c6a5c6b28d30eab4f8ef7509fca8710c417b9cbbbf7844888f02858295304c23bf217e41d157e2bed594a39c2641f4
-
\Users\Admin\dthost.exeFilesize
227KB
MD5d39d17b38909180b0c65cb4081154100
SHA1b7a11d389d940273b91dd9ddb11137404eedceea
SHA256590aaa3add5efffd271c2b9cfc10fc304faf6caf83f2f9dd494a40a35b1053d3
SHA5125a0ccc785b15e92d38bf1436522dbe81645d2b16093f20f09dfd81602e9f496693a6b27a62f88e50cdf027147b89a21db1e15532d0d4e7c2fd65710ee2071fa6
-
\Users\Admin\ethost.exeFilesize
24KB
MD5b38b2a8c25efb39b245dbfa6c1ccc29b
SHA162fda766006bfbccbfaade649ceb29764c216ea4
SHA2561fee129dadbd67f7fab68c8fa285b5da0141785100b35bc7b66d55b10d24364d
SHA5128cdbb4e9404783ad4a2665a05a1e64e8ab393689c2425834e854933f58904910e248dfebc57c717313abbc62105d76875ebafd206ada15417beedd58bbd7e22d
-
\Users\Admin\meaje.exeFilesize
256KB
MD54f9b7314543e88009f3c91507b693bf3
SHA1205da2d04a87f6a798c67e16a4b0055b7c673933
SHA256b256ddf8867690ddb66932ae28de75413f958c3eff3f05a2ce3c3809f11898d4
SHA5121d062d3e29cec1aafcf945143235855aa59bfbe0c6ce4f11c8a51adcfddec6247fbffcb7b6353236527b7136d71e47c55490537f5010e3d7c7c3a2179537f5bb
-
\Windows\System32\consrv.dllFilesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
\Windows\assembly\GAC_32\Desktop.iniFilesize
4KB
MD5758f90d425814ea5a1d2694e44e7e295
SHA164d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA51211858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9
-
\Windows\assembly\GAC_64\Desktop.iniFilesize
5KB
MD592f9cdae857253a3895faffa85b3d8b9
SHA1d28352ff5a02eeb98334e3d0f845a259b2aacff3
SHA2565653db84679ab49eec2e32127271dacd802b8ed53a5199c5fd5fe998be32a36b
SHA512f23ec0a005b5d84d26527cd6c26d494b9ecff4b099adfd780fe7953f5affb0f295f92dc663d79bcb60d42f82d249b7e61acb39a38bdbd66185da5bf6126737a6
-
memory/332-132-0x00000000023C0000-0x00000000023D2000-memory.dmpFilesize
72KB
-
memory/1300-148-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2580-69-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2620-92-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-81-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-83-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-79-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-87-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-94-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2620-93-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2792-124-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2792-118-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2792-152-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2792-126-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2792-113-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2792-123-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2792-114-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2792-122-0x0000000002110000-0x0000000002155000-memory.dmpFilesize
276KB
-
memory/2856-89-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2984-10-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3040-6-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-13-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-112-0x00000000005B0000-0x0000000000616000-memory.dmpFilesize
408KB
-
memory/3040-0-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-3-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-111-0x00000000005B0000-0x0000000000616000-memory.dmpFilesize
408KB
-
memory/3040-360-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-2-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-14-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-15-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3040-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3040-153-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/3056-62-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-163-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-54-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-56-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-66-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-53-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-70-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3056-59-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB