Analysis
-
max time kernel
145s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 05:01
Static task
static1
Behavioral task
behavioral1
Sample
118efcc13349720fda57911483211b02_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
118efcc13349720fda57911483211b02_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
118efcc13349720fda57911483211b02_JaffaCakes118.exe
-
Size
368KB
-
MD5
118efcc13349720fda57911483211b02
-
SHA1
8d305040a3453a6ea2fefa81214840123ca623ec
-
SHA256
14445511f62011b381b70c70d3d816a6316368b560a5bd605e0fadb8d1d67918
-
SHA512
010341ea9f1564d864a6eee00170851933edefaa50413fda65cc482953850fa606dce478f235638ba13637f7b9332d457a3b5acad8f2f88168af9e97d16e6dc9
-
SSDEEP
6144:rpzihDNamsZbXSAcIs0o7TCV0sq2F9XDFOiwtXK/JOMp:dih0J8is0Q+V0eF9TFBYcp
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5580 3660 mshta.exe -
ModiLoader Second Stage 10 IoCs
Processes:
resource yara_rule behavioral2/memory/5460-15-0x0000000000400000-0x0000000000439000-memory.dmp modiloader_stage2 behavioral2/memory/5460-16-0x0000000000400000-0x0000000000439000-memory.dmp modiloader_stage2 behavioral2/memory/5460-17-0x0000000000400000-0x0000000000439000-memory.dmp modiloader_stage2 behavioral2/memory/5460-20-0x0000000000790000-0x0000000000864000-memory.dmp modiloader_stage2 behavioral2/memory/5460-22-0x0000000000790000-0x0000000000864000-memory.dmp modiloader_stage2 behavioral2/memory/5460-21-0x0000000000790000-0x0000000000864000-memory.dmp modiloader_stage2 behavioral2/memory/5460-19-0x0000000000790000-0x0000000000864000-memory.dmp modiloader_stage2 behavioral2/memory/5460-18-0x0000000000790000-0x0000000000864000-memory.dmp modiloader_stage2 behavioral2/memory/5460-23-0x0000000000790000-0x0000000000864000-memory.dmp modiloader_stage2 behavioral2/memory/5460-24-0x0000000000790000-0x0000000000864000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exe118efcc13349720fda57911483211b02_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation 118efcc13349720fda57911483211b02_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
0.exe0.exepid process 5560 0.exe 5460 0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 368 powershell.exe 368 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 368 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
118efcc13349720fda57911483211b02_JaffaCakes118.exe118efcc13349720fda57911483211b02_JaffaCakes118.exe0.exemshta.exedescription pid process target process PID 1248 wrote to memory of 2632 1248 118efcc13349720fda57911483211b02_JaffaCakes118.exe 118efcc13349720fda57911483211b02_JaffaCakes118.exe PID 1248 wrote to memory of 2632 1248 118efcc13349720fda57911483211b02_JaffaCakes118.exe 118efcc13349720fda57911483211b02_JaffaCakes118.exe PID 1248 wrote to memory of 2632 1248 118efcc13349720fda57911483211b02_JaffaCakes118.exe 118efcc13349720fda57911483211b02_JaffaCakes118.exe PID 1248 wrote to memory of 2632 1248 118efcc13349720fda57911483211b02_JaffaCakes118.exe 118efcc13349720fda57911483211b02_JaffaCakes118.exe PID 1248 wrote to memory of 2632 1248 118efcc13349720fda57911483211b02_JaffaCakes118.exe 118efcc13349720fda57911483211b02_JaffaCakes118.exe PID 1248 wrote to memory of 2632 1248 118efcc13349720fda57911483211b02_JaffaCakes118.exe 118efcc13349720fda57911483211b02_JaffaCakes118.exe PID 1248 wrote to memory of 2632 1248 118efcc13349720fda57911483211b02_JaffaCakes118.exe 118efcc13349720fda57911483211b02_JaffaCakes118.exe PID 1248 wrote to memory of 2632 1248 118efcc13349720fda57911483211b02_JaffaCakes118.exe 118efcc13349720fda57911483211b02_JaffaCakes118.exe PID 2632 wrote to memory of 5560 2632 118efcc13349720fda57911483211b02_JaffaCakes118.exe 0.exe PID 2632 wrote to memory of 5560 2632 118efcc13349720fda57911483211b02_JaffaCakes118.exe 0.exe PID 2632 wrote to memory of 5560 2632 118efcc13349720fda57911483211b02_JaffaCakes118.exe 0.exe PID 5560 wrote to memory of 5460 5560 0.exe 0.exe PID 5560 wrote to memory of 5460 5560 0.exe 0.exe PID 5560 wrote to memory of 5460 5560 0.exe 0.exe PID 5560 wrote to memory of 5460 5560 0.exe 0.exe PID 5560 wrote to memory of 5460 5560 0.exe 0.exe PID 5560 wrote to memory of 5460 5560 0.exe 0.exe PID 5560 wrote to memory of 5460 5560 0.exe 0.exe PID 5560 wrote to memory of 5460 5560 0.exe 0.exe PID 5560 wrote to memory of 5460 5560 0.exe 0.exe PID 5580 wrote to memory of 368 5580 mshta.exe powershell.exe PID 5580 wrote to memory of 368 5580 mshta.exe powershell.exe PID 5580 wrote to memory of 368 5580 mshta.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\118efcc13349720fda57911483211b02_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\118efcc13349720fda57911483211b02_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\118efcc13349720fda57911483211b02_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\118efcc13349720fda57911483211b02_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5560 -
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"4⤵
- Executes dropped EXE
PID:5460
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:AM2oavZ="7WjjRva";l90w=new%20ActiveXObject("WScript.Shell");v4npkom="ObabN08Wb";A7TS3a=l90w.RegRead("HKLM\\software\\Wow6432Node\\MqUTd79k\\Wu2YCd");r6QXQ1Ow="onN8QV";eval(A7TS3a);MCU9XrO="Vg74pacu";1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:xptba2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD54ed6da10001dec308a436038ff943b89
SHA1290d3118fb3c2f256c3c533fcddd8c413f65debb
SHA256f1bb7c9bebc9b1fc7a4cb115c108fd30af91e28c6bca6af13fedf86556c1044f
SHA5121b47b8161854fd7e15c169ead50edd4900c68a018eb30bb476e21101e94b06220aa2c41d650fe8acada2e70e0c1dd5822222ebdce2c16aedb46073c129e66749
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82