Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
01-07-2024 08:21
General
-
Target
1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe
-
Size
807KB
-
MD5
1a94bba2273274d0f93731436bc1bb30
-
SHA1
543eddbadf14a9aeab0affde1e7d7f7b2360d710
-
SHA256
709d95ad585b444dc62d9fabec674210cb2baacec84a6a477ed37e2787a8833e
-
SHA512
8e6567e54555dd41983274ad40f5f01348401afbfa7462d45cb9c4f9c7fb88ab67da94cb2233f05b6d73ed9e6db268e34b1b89ca1ff7efdf3229d6b8cfef95a3
-
SSDEEP
24576:FYkjllgR+tmbs1t9qgYohxfloUZhjaoJKwbgy:FYslhtmMKcoUvPJKwbgy
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
ModiLoader Second Stage 9 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 17 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 16 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 52 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\eQDewf74.exeC:\Users\Admin\eQDewf74.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\xnhaiv.exe"C:\Users\Admin\xnhaiv.exe"5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del eQDewf74.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aihost.exeC:\Users\Admin\aihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aihost.exeaihost.exe5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\bihost.exeC:\Users\Admin\bihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\bihost.exebihost.exe5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe startC:\Users\Admin\AppData\Roaming\5B530\6B32B.exe%C:\Users\Admin\AppData\Roaming\5B5305⤵
- Executes dropped EXE
-
C:\Users\Admin\cihost.exeC:\Users\Admin\cihost.exe startC:\Program Files (x86)\3057E\lvvm.exe%C:\Program Files (x86)\3057E5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LP\2B65\C497.tmp"C:\Program Files (x86)\LP\2B65\C497.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\dihost.exeC:\Users\Admin\dihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
-
C:\Users\Admin\eihost.exeC:\Users\Admin\eihost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 1a94bba2273274d0f93731436bc1bb30_JaffaCakes118.exe4⤵
- Deletes itself
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\5B530\057E.B53Filesize
300B
MD5a779256e54b5030b9c94a645e580651b
SHA12ca288b70a83a4af1ce2051147be630d3256c814
SHA25646dd0b3d285585a64a7281e0551585f04cdf2cf9fd89a0cc1903cf89b11097e6
SHA512b8ffd27622a38ee837facd242b7e6b979df3c61bcca1a22e7ef1988e1ed47ee24c0d5128ec159062491348793e4f6eeb926779230c0d76d9ad88c27c8a5cf012
-
C:\Users\Admin\AppData\Roaming\5B530\057E.B53Filesize
600B
MD5a80625fc042897c4a0ac756b4dbb3bd5
SHA17c9557ec868036c7a7313b952e52468940324b67
SHA256c90889dd6dd36a66fb6ada69f1cc229be4306cd5279b3d6fb233a03eb0199cb7
SHA51254861a7b1b2fa6522fab929083287fd130adcd2cd1bc3591bdb7b13217783d706d6b2682aea4f070a421e88901f22c0e885d03c72853379e339cc82232c57236
-
C:\Users\Admin\AppData\Roaming\5B530\057E.B53Filesize
996B
MD5bbaf8c9101795c97a95d3e8d71fe554e
SHA1f6a8071ff5978854741f53d56f2b0e4fdadce1d5
SHA2563474148ea62a2cb694a6925bb777b79dc4bd9587fa7161bf6955697f44da7e0d
SHA5128b30eb99628f9a86d6e46acd5dac7da8f01cf55d67fca0736e6c83ab83f1e08395176e3869e860962c0a4d4e0524a29b781c0c4afe0a216387d2a1320852aa68
-
C:\Users\Admin\AppData\Roaming\5B530\057E.B53Filesize
1KB
MD5b0b97b55d707944be0d61f6e3970637d
SHA1f3c1fd425db509ffb398c94014dfdc4f0371c9f1
SHA256b1c3d5dcba801babbdc9312317a7fb53fd5e8941c239232b060641b3423bf04e
SHA51272043af5cfbffb2182407b0cbe563d40d1ca9012bcba462b03d9fabd164a007071b17b851acd8f104d4ccdc438ce39e8f8d8bd2a527a93d1b60bfba59ce5bbcc
-
C:\Users\Admin\bihost.exeFilesize
119KB
MD5386fef8fdb975e7c102921910db7f9fb
SHA1cdf3f86411189db08c8c0f887f26c2572ecc0889
SHA256ae06d784c51702aff587d235d48de3b1162872069fac4602d921d023527efae0
SHA5126ab8c2721c81bdff414e8cdbd7ca006abf3ed8c0155510d6c92555885038f33c1cf08372302b6465196f69aa15a7305fb05eb2e12026f1fc96a797646b8d2352
-
C:\Windows\system32\consrv.dllFilesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
\??\globalroot\systemroot\assembly\temp\@Filesize
2KB
MD50b39ec8019d049c552aa5d1d7bd43d76
SHA130d39045635f8f4710a2a7baaf410c4547bc6474
SHA2568d50403cc9efe0dbf9ed735f0ec8fc89b9524c82f8b5885ad5439f661e0a5828
SHA5120f924615afec563d254547a0f4490b962e67cc6dbf08effedecf61ea5359f7e9ed95ac777ffa1043153dbbf16ac10b092590879eedbb07ca2a71220a74d7d67f
-
\Program Files (x86)\LP\2B65\C497.tmpFilesize
100KB
MD54c04ec47c44bc997519e18ce5f20e9d6
SHA1680968fe85eaa19ac68b8dabf3371dd81684ed83
SHA256446ddf0822deef56cedbfa0910143c744835ed765d128408d9ea994a569581a2
SHA512e33e959e25d09152c1f64d60a7733f7c7a1dfd9f0bee6ed1f8aa18cf5e5248442e365d211c4555e0723b4e23e97c0a99d43b8fe6538cc9c77f0d39fd73616279
-
\Users\Admin\aihost.exeFilesize
229KB
MD5c7b9733430c4bf7f56a0c89d7f2dd9cf
SHA10a894c98e17a8c81a378a37c2230cf188932d21e
SHA2568047916855a52a9b5e97c010e8fc2dc01a9ed91d2798a6869f8669ea4a92940d
SHA5124aefe0746e896c00bc908128ba63e13d2abed9e839d13da14042365afb81d85bf75537292f7323a56694258ddec7a88b57202721b62651cfcbef2932c0cb2464
-
\Users\Admin\cihost.exeFilesize
279KB
MD54df3241b8f53ad2d1c0bba6dc1b97e02
SHA1f0c43893143a3442a453f56c9c4f740941b1d097
SHA256407e0425757e28262c3054c1dc981a9f41cf83cd67ecfbf37d3b8fe74db54199
SHA512e90e4a8b708fb9d3213f73e641fa39625a38fa969270ef1123206fb30d04837f018b9838aa02a234265c0b9ba765f567b748a7b73c437b96daba7a15e5e38663
-
\Users\Admin\dihost.exeFilesize
244KB
MD588537f3fd69e60683c4467e89b7651af
SHA12c14a9010bed93b0622efe283a34de343ca33244
SHA2564a7897e22ad30c516920e6441dc360a98114f15d9652b89909758f4966029692
SHA512b3d070628092558770e08386eeabf69efc613ce163ce1f50cc00a81a78cbec6b667a84a4f09144b7f0c145ec28929b78deee4f7cab10ce7ac9a2f9c536ce8084
-
\Users\Admin\eQDewf74.exeFilesize
180KB
MD542836a2ee8ce9deef8d846272ef3949f
SHA179f698c53e56c96c859a0155e02a24c93e120145
SHA2565569f623253918233149531fbd49bd624af013695bf0f7d8b53ef58b062e6a37
SHA512786802f71512228215ddac4d23a7eec6e8cfb8ab4c02ba0a03b06241431e70c202e845ce08222945f668218d91dd6630e9e5499be0b44fda7b3dc29e98231d85
-
\Users\Admin\eihost.exeFilesize
28KB
MD5f06f7a3945f4f78ee2c6d1ed35cbb5be
SHA1ac1ab0f60a94286b6f01b40431e6f87f6e9899bf
SHA256a2c720d07e18b73143b040ab817bad7da98ed2a262d55e6119b9cbd8b93dbbe3
SHA51223f1fc1f15aab030c3d19a1c166479a52659b91dac00fff1301ddfd6e5e62279d45ec176f2e891098eb0d613d1f148952bf71341227b35f52c3bc2bf5fcdad14
-
\Users\Admin\xnhaiv.exeFilesize
180KB
MD57c6f5212f5a2bc7b571643a7b02b9b49
SHA128e437183dd7d60a8a316ffc60f7a8c7d1b24c42
SHA2567fddb89bc0c64dc7c027218a70914b4f1fe04312d95a09ecba6d696bdd07e42f
SHA512adaf46f998111a9fa594c08f17350cacab7510ab41df48fbf52092c03f073954c7c389713767b9b226573cd66bb6c6c98715ed7505eaf1481eada942e010157c
-
\Windows\assembly\GAC_32\Desktop.iniFilesize
4KB
MD5758f90d425814ea5a1d2694e44e7e295
SHA164d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA51211858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9
-
memory/1316-157-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1676-155-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1936-10-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2068-14-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-402-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-3-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-15-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-0-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-2-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-13-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2068-112-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2068-12-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2340-44-0x0000000003EB0000-0x000000000496A000-memory.dmpFilesize
10.7MB
-
memory/2720-70-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2844-166-0x00000000020E0000-0x000000000211C000-memory.dmpFilesize
240KB
-
memory/2844-237-0x00000000020E0000-0x000000000211C000-memory.dmpFilesize
240KB
-
memory/2844-168-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2844-158-0x00000000020E0000-0x000000000211C000-memory.dmpFilesize
240KB
-
memory/2844-162-0x00000000020E0000-0x000000000211C000-memory.dmpFilesize
240KB
-
memory/2888-89-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/3020-153-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-63-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-53-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-71-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-67-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-60-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-57-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3020-55-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3036-80-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-88-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-93-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-82-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-95-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-84-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3036-94-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB