Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe
-
Size
931KB
-
MD5
433dd4dce13e86688a3af13686c84d1c
-
SHA1
69ceb568484e6436b50b067f041f383acab22870
-
SHA256
bc64ad45f156496dab5f38b4d6810dd3276ccb43a639e979fa2a71f370f78aad
-
SHA512
45f933fd991bfedaab8b1fd19d41e22432f328abb5606aa04dc9cff43bf088fc1a674c156be95bd0aa452334b96e6ab6cd1105431abd27e6d03bbaa42aef47d7
-
SSDEEP
24576:LQgPByJzhAfD7MjzlR7W/BdT5r4fPn9OvRSWz4r:LQgZ0z0MjHC/Bdu39OvAWz+
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2700-25-0x0000000000400000-0x0000000000459000-memory.dmp modiloader_stage1 behavioral1/memory/2700-26-0x0000000000400000-0x0000000000459000-memory.dmp modiloader_stage1 -
Drops startup file 1 IoCs
Processes:
lsass.comdescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghost.url lsass.com -
Executes dropped EXE 2 IoCs
Processes:
lsass.comlsass.compid process 1208 lsass.com 2652 lsass.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exelsass.compid process 2204 cmd.exe 1208 lsass.com -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lsass.comdescription pid process target process PID 2652 set thread context of 2700 2652 lsass.com ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2700 ipconfig.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
lsass.compid process 2652 lsass.com -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
lsass.comlsass.compid process 1208 lsass.com 1208 lsass.com 1208 lsass.com 2652 lsass.com 2652 lsass.com 2652 lsass.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
lsass.comlsass.compid process 1208 lsass.com 1208 lsass.com 1208 lsass.com 2652 lsass.com 2652 lsass.com 2652 lsass.com -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.execmd.exelsass.comlsass.comdescription pid process target process PID 2988 wrote to memory of 2204 2988 433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe cmd.exe PID 2988 wrote to memory of 2204 2988 433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe cmd.exe PID 2988 wrote to memory of 2204 2988 433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe cmd.exe PID 2988 wrote to memory of 2204 2988 433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe cmd.exe PID 2204 wrote to memory of 2808 2204 cmd.exe certutil.exe PID 2204 wrote to memory of 2808 2204 cmd.exe certutil.exe PID 2204 wrote to memory of 2808 2204 cmd.exe certutil.exe PID 2204 wrote to memory of 2808 2204 cmd.exe certutil.exe PID 2204 wrote to memory of 1208 2204 cmd.exe lsass.com PID 2204 wrote to memory of 1208 2204 cmd.exe lsass.com PID 2204 wrote to memory of 1208 2204 cmd.exe lsass.com PID 2204 wrote to memory of 1208 2204 cmd.exe lsass.com PID 1208 wrote to memory of 2652 1208 lsass.com lsass.com PID 1208 wrote to memory of 2652 1208 lsass.com lsass.com PID 1208 wrote to memory of 2652 1208 lsass.com lsass.com PID 1208 wrote to memory of 2652 1208 lsass.com lsass.com PID 2204 wrote to memory of 2680 2204 cmd.exe PING.EXE PID 2204 wrote to memory of 2680 2204 cmd.exe PING.EXE PID 2204 wrote to memory of 2680 2204 cmd.exe PING.EXE PID 2204 wrote to memory of 2680 2204 cmd.exe PING.EXE PID 2652 wrote to memory of 2700 2652 lsass.com ipconfig.exe PID 2652 wrote to memory of 2700 2652 lsass.com ipconfig.exe PID 2652 wrote to memory of 2700 2652 lsass.com ipconfig.exe PID 2652 wrote to memory of 2700 2652 lsass.com ipconfig.exe PID 2652 wrote to memory of 2700 2652 lsass.com ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c <nul set /p ="M" > lsass.com & type ffXi.com >> lsass.com & del ffXi.com & certutil -decode adCt.com R & lsass.com R & ping 127.0.0.1 -n 202⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.execertutil -decode adCt.com R3⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.comlsass.com R3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com R4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"5⤵
- Gathers network information
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 203⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RFilesize
250KB
MD553a116d2b8ab11b92b293b4ad18cc523
SHA1a4726d5f751271a8ef9f50c343249b3e97f91cc8
SHA256f49fd869ebc412d9bd65b96330652ff1aea58d287a06f6b5c8a02ba442fd4d22
SHA512e8f3eac4532041823b0362d84d591ce815aa55090d44ed18ac567ba17559b051e5b0c6d66ce6b0af2b22c11d90289cf96855ca51abcb4c5d5297fd7ce656e6fc
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\adCt.comFilesize
344KB
MD5608d98351812a3c2c73b94a6f5bef048
SHA1edbdd9e0608abc2abf531bb42423a68a22349bd8
SHA2564a17468fec26c6b95fd7d2365eae99cbc875ac5d0b34cbeff373b2ca15238884
SHA512e24874e67f15d04ab8594591c92236d93a2f2212002ca3354ca8fbeedd90b524737f8603837c1858d19505b1b85edd8809cd1d6a3f263043740aecf042b34a40
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bzYfp.comFilesize
332KB
MD5340f2664d7956a753d8ea2fa5c0044ff
SHA10134773b0534c94f62edea2302d0efe020addc25
SHA256956eba9bc654807eaaf15438024f0485d62fa35fcaabfe1bcc8fbf6668275c63
SHA5123e9dae031e34a33aed97a1b331748a2bdf99862e13f94057aa8d32986e0db9748592300ca3639fe3f36fd439768510b7ea587775faa89991ff79eeda2e6e2997
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ffXi.comFilesize
872KB
MD5d86ab2aeeac2553c7857ece4492eda5d
SHA10828db56b556f3f0486a9de9d2c728216035e8e6
SHA2568861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436
SHA5128c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/2700-25-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2700-26-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB