Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 11:25
Behavioral task
behavioral1
Sample
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe
-
Size
719KB
-
MD5
2edeb2ff18dbc657dfb2e8aa3fd9fbc8
-
SHA1
821705cee1712031bfea83c1673ec59c83fa6693
-
SHA256
e275e10bea80834252aea1b5dba9a817b278b5c4a6d0594b01b1605de0b66f79
-
SHA512
d8899f5f928ddb48396c8351c31a65a8627010ac466b4c47b8e8af7a2a529f26e499a50cebbf84a563e762f4b986543b343835d67ce1b802651bcceaed632733
-
SSDEEP
12288:Z9s0WkglhZbd1S2XgKsIpCGUy7tkEccMtXVuOdeTqlTKFbso:ZnOhZbd1SbnKayxFKVu72lTKF/
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Server.exe modiloader_stage2 behavioral2/memory/1260-9-0x0000000000400000-0x00000000007BB000-memory.dmp modiloader_stage2 behavioral2/memory/4660-10-0x0000000000400000-0x00000000007BB000-memory.dmp modiloader_stage2 behavioral2/memory/4660-13-0x0000000000400000-0x00000000007BB000-memory.dmp modiloader_stage2 behavioral2/memory/4660-18-0x0000000000400000-0x00000000007BB000-memory.dmp modiloader_stage2 behavioral2/memory/4660-21-0x0000000000400000-0x00000000007BB000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 4660 Server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Server.exe = "C:\\Program Files (x86)\\Server.exe" 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe -
Drops file in Program Files directory 3 IoCs
Processes:
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Server.exe 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Server.exe 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe File created C:\Program Files (x86)\Delsx.bat 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Server.exedescription pid process Token: SeIncBasePriorityPrivilege 4660 Server.exe Token: SeIncBasePriorityPrivilege 4660 Server.exe Token: SeIncBasePriorityPrivilege 4660 Server.exe Token: SeIncBasePriorityPrivilege 4660 Server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exedescription pid process target process PID 1260 wrote to memory of 4660 1260 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe Server.exe PID 1260 wrote to memory of 4660 1260 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe Server.exe PID 1260 wrote to memory of 4660 1260 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe Server.exe PID 1260 wrote to memory of 1616 1260 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe cmd.exe PID 1260 wrote to memory of 1616 1260 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe cmd.exe PID 1260 wrote to memory of 1616 1260 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Program Files (x86)\Server.exe"C:\Program Files (x86)\Server.exe" -k2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Delsx.bat""2⤵PID:1616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3868 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:4524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Delsx.batFilesize
218B
MD5c180c739e96486267d2a4b547ef358f6
SHA1962691696b51120ad9118987f2876ec48fa40525
SHA256ee2b6a347d5aa3af3e18e46a61ccd0565b107e9736560bc21284da4c4e6adfba
SHA5121a411af0a545dfc36e3a93c7ce637eedd55ba8a85e2053201e359c7b43e631c9aa7e6da081620635b3cf82d06ba58c38af88a81f8d529dc24987d99d8a953a93
-
C:\Program Files (x86)\Server.exeFilesize
719KB
MD52edeb2ff18dbc657dfb2e8aa3fd9fbc8
SHA1821705cee1712031bfea83c1673ec59c83fa6693
SHA256e275e10bea80834252aea1b5dba9a817b278b5c4a6d0594b01b1605de0b66f79
SHA512d8899f5f928ddb48396c8351c31a65a8627010ac466b4c47b8e8af7a2a529f26e499a50cebbf84a563e762f4b986543b343835d67ce1b802651bcceaed632733
-
memory/1260-0-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB
-
memory/1260-9-0x0000000000400000-0x00000000007BB000-memory.dmpFilesize
3.7MB
-
memory/4660-5-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/4660-10-0x0000000000400000-0x00000000007BB000-memory.dmpFilesize
3.7MB
-
memory/4660-12-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/4660-13-0x0000000000400000-0x00000000007BB000-memory.dmpFilesize
3.7MB
-
memory/4660-18-0x0000000000400000-0x00000000007BB000-memory.dmpFilesize
3.7MB
-
memory/4660-21-0x0000000000400000-0x00000000007BB000-memory.dmpFilesize
3.7MB