Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 07:31
Behavioral task
behavioral1
Sample
9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
-
Size
406KB
-
MD5
9fe78f1f9f227b4d5f94300dd3ab1e84
-
SHA1
4b105d8f863866c091b0b93522c0f6b618d2a9f2
-
SHA256
9bb561f167b215e61d7ccb82eb32a1b4b6d5a559722c3f04f22f5c575ab09ff2
-
SHA512
38dfa5ae0b073cd6e46d29cbd3b1a141ee07d4fcb680d659b7df4e6c71cef146f38758c5675f3622525836e8cfc7a79ad2e4e683ab56a4ea8a633b6c328dd612
-
SSDEEP
6144:RQRkXzdNg2pmLdwlingfCJ2iIE6ToHCom0YwwR3EzxOBPpoeoCW7:eWpNgc0Bg/ZhTTLwcE8HW7
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1376-24-0x0000000002DB0000-0x0000000002DBE000-memory.dmp modiloader_stage2 behavioral2/memory/344-28-0x0000000003BC0000-0x0000000003BCE000-memory.dmp modiloader_stage2 behavioral2/memory/1376-29-0x0000000000400000-0x0000000000412000-memory.dmp modiloader_stage2 behavioral2/memory/1376-47-0x0000000002DB0000-0x0000000002DBE000-memory.dmp modiloader_stage2 -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Program Files\Common Files\microsoft shared\MSInfo\InfoMs.hk acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
521dnfAsist.exemydnf.exepid process 344 521dnfAsist.exe 4536 mydnf.exe -
Loads dropped DLL 4 IoCs
Processes:
9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe521dnfAsist.exepid process 1376 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe 1376 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe 344 521dnfAsist.exe 344 521dnfAsist.exe -
Processes:
resource yara_rule C:\Program Files\Common Files\microsoft shared\MSInfo\InfoMs.hk upx behavioral2/memory/1376-24-0x0000000002DB0000-0x0000000002DBE000-memory.dmp upx behavioral2/memory/344-28-0x0000000003BC0000-0x0000000003BCE000-memory.dmp upx behavioral2/memory/1376-47-0x0000000002DB0000-0x0000000002DBE000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
Processes:
9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\InfoMs.hk 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe521dnfAsist.exepid process 1376 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe 344 521dnfAsist.exe 344 521dnfAsist.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exedescription pid process target process PID 1376 wrote to memory of 344 1376 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe 521dnfAsist.exe PID 1376 wrote to memory of 344 1376 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe 521dnfAsist.exe PID 1376 wrote to memory of 344 1376 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe 521dnfAsist.exe PID 1376 wrote to memory of 4536 1376 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe mydnf.exe PID 1376 wrote to memory of 4536 1376 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe mydnf.exe PID 1376 wrote to memory of 4536 1376 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe mydnf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\521dnfAsist.exe"C:\Users\Admin\AppData\Local\Temp\521dnfAsist.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:344 -
C:\Users\Admin\AppData\Local\Temp\mydnf.exe"C:\Users\Admin\AppData\Local\Temp\mydnf.exe"2⤵
- Executes dropped EXE
PID:4536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\MSInfo\InfoMs.hkFilesize
12KB
MD586dacf8a30f76f2abc61c7a5d466b37f
SHA1937a47e385440b6f54904921dfd41e4e81e112ca
SHA256bc626ccdbf16a48d1592505f7122684cab08ab8748b6d21988f0a0af81de9888
SHA51238f7d6fe7a14f4164ecdf3aa4d24226b3a8aa83062df8c0eac5c213bc3c7b9598ee4eedfcd1d2f3a031f05923edb8e6fcc338d71fe28e37f9e6e5f407fbd949d
-
C:\Users\Admin\AppData\Local\Temp\521dnfAsist.exeFilesize
348KB
MD50f8b25646b0a0f19db13f3f0c4f547d8
SHA1fba6b858c78a209c9ce2dc7b0f686e432b9c5cf3
SHA2560279f688b34890b53595025a988dc40d91fc108fd0fa44cd0730238ca6ab37c0
SHA5121e479df57a0abfb65eddd1ce567ee1df053a48d764654cb306bc51e73557b285dba37a15ccc10072489ee9c2fc1ee673389634ce90dd040f2ad783a757b5a5a0
-
C:\Users\Admin\AppData\Local\Temp\mydnf.exeFilesize
15KB
MD5a24a6207dcf634e4389165a3f24af433
SHA13ad80297b6097bf386591884488493237cf3002b
SHA256fe9f40037b611e5c60711068b0115a463618ca90a33a8cfe13657dd95f77c1ca
SHA51245c4d277d7ee824cc0b9c49ad556e7991a0385f462e9989835e8f8bf2664bd149065463ecb8d24d692eb62bba92e31061f6de924f1f99102f060251a2fa94b67
-
memory/344-28-0x0000000003BC0000-0x0000000003BCE000-memory.dmpFilesize
56KB
-
memory/1376-24-0x0000000002DB0000-0x0000000002DBE000-memory.dmpFilesize
56KB
-
memory/1376-29-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1376-47-0x0000000002DB0000-0x0000000002DBE000-memory.dmpFilesize
56KB