Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
28-06-2024 08:13
General
-
Target
19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe
-
Size
667KB
-
MD5
19692ed7b4d90397bb54fb483823e32c
-
SHA1
4bb7b5a2cea25d928f22a799d9edeaf8806eb012
-
SHA256
6862bae6ba9e69a63484969adc77f3742d3ff10181560effd9902b193901613e
-
SHA512
ceaf30d1257dd0f7abef3f03db33496b1ea86ca8f8deea123728baa4a104108e97dd9a7b2695e2efbfa81a48ef26e8c4e0ff52dbf83b27fc4389ca456f455ad4
-
SSDEEP
12288:WbMqmwEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WI+EEb4Ev/ATEXKGVnGTzpA1Ec1A
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
ModiLoader Second Stage 7 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 54 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\DV245F.exeC:\Users\Admin\DV245F.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ziuowi.exe"C:\Users\Admin\ziuowi.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aohost.exeC:\Users\Admin\aohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aohost.exeaohost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\F79A4\78A51.exe%C:\Users\Admin\AppData\Roaming\F79A44⤵
- Executes dropped EXE
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Program Files (x86)\A42DB\lvvm.exe%C:\Program Files (x86)\A42DB4⤵
- Executes dropped EXE
-
C:\Users\Admin\dohost.exeC:\Users\Admin\dohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\F79A4\42DB.79AFilesize
600B
MD5c1480fcf9b4e9a1e343814dc702023de
SHA1c43d414a4443cb2f37c7d93e79495fe1f89e1c6b
SHA25647377d67e5ac16b096b9e152101bab70767d95609e4c64422c35a69b407e92a2
SHA512468441f13f75ceb15d1c272b060976cd72e728f718f68b871f4130d2a98fccceb55a3dbd33a5fe0163e7e2f6583c1d19f24e9aecbcd249bff30ca33bba5be131
-
C:\Users\Admin\AppData\Roaming\F79A4\42DB.79AFilesize
897B
MD5218824d1ef805544d473f2751e81d5e2
SHA1bb9aa76fb4a4ee729ea1550088b8563167142504
SHA256f79bc4c6f96f0ee895a3cbb2822f615f209ca0e5f32bbc5b4585ae99bfeadbe0
SHA51230b494be62e0ed25b9275eb5e9ef81411227cc8904351c2b23fd5591bac5987ad8b3c055f574e57cf6ffe9ea8cd61fdb3b64bf774598fffcc7da80b8ca1b5767
-
C:\Users\Admin\AppData\Roaming\F79A4\42DB.79AFilesize
1KB
MD5449516e1ab6766e2606bc96c9460519c
SHA180ce11ba8958c675793fc44e6ab868f26e855481
SHA2562abe183cdf7051f9300cca7ff27e31bd288be0347917d1cf057cd56b54062db3
SHA5128efdd58e81bd33dbb07a0755cb557aaf8b44766360b64eba4a7304db290f3b632a4913d39e4bdf9c1bfd721c478f0b32d93375ea1d869e4afe44d2490712f7b4
-
C:\Users\Admin\AppData\Roaming\F79A4\42DB.79AFilesize
1KB
MD5bd7f4d72a2f966d2c1402678ae1dbac3
SHA1e81dae09fb7d6980f216c583c22ef09dbe8011e8
SHA256c423904360e380c9d81fc525f7710a9d1117554feced551248788f0b1b73a7c8
SHA512b64db631714a7580e139b1215779d62090a8987c3cc63d900a8172fd2d949501ae1904f48518d8cfef5cc273b5c9101e34b6ce0ee1c44e69dcff10c8aa6bad03
-
\Users\Admin\DV245F.exeFilesize
216KB
MD500b1af88e176b5fdb1b82a38cfdce35b
SHA1c0f77262df92698911e0ac2f7774e93fc6b06280
SHA25650f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59
SHA5129e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f
-
\Users\Admin\aohost.exeFilesize
152KB
MD54401958b004eb197d4f0c0aaccee9a18
SHA150e600f7c5c918145c5a270b472b114faa72a971
SHA2564c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b
SHA512f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6
-
\Users\Admin\bohost.exeFilesize
173KB
MD50578a41258df62b7b4320ceaafedde53
SHA150e7c0b00f8f1e5355423893f10ae8ee844d70f4
SHA25618941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf
SHA5125870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09
-
\Users\Admin\dohost.exeFilesize
24KB
MD5d7390e209a42ea46d9cbfc5177b8324e
SHA1eff57330de49be19d2514dd08e614afc97b061d2
SHA256d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5
SHA512de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d
-
\Users\Admin\ziuowi.exeFilesize
216KB
MD5d9862af1e4ae6207c43fae17eb2b11e8
SHA111a44a700a4ed6d534b2d2426c3bbc3a65337134
SHA2565ae2551e18dfe8d97c6ff29a9a9517a47dd5005b222d1c812ba41ec24253e810
SHA5121849bee8be72996d54ee42ce58c92d0dbae6d04781e4ec63150a6901b95580b334058513c3b276d7b80cd83cacb7d352586329191fda856accf3814f9cdebf5d
-
memory/292-43-0x00000000040D0000-0x0000000004B8A000-memory.dmpFilesize
10.7MB
-
memory/788-9-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/828-105-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-193-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-199-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-284-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-263-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-208-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-90-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1916-206-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2072-13-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-197-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-12-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-1-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-88-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-3-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-14-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-2-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2072-5-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2288-54-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-52-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-67-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-60-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-56-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-65-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-89-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-66-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2568-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB