Analysis
-
max time kernel
140s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 23:08
Behavioral task
behavioral1
Sample
0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe
-
Size
739KB
-
MD5
0110f4501ad87e14e01626f24a28358c
-
SHA1
fe170c9aa972201cfac09083998e69de52f2a208
-
SHA256
c904070b30dfb20429637044e4dbfd0d1330094934552847fa79fb16122eda7f
-
SHA512
e29b63c4379217cf40491d194fee85e962a0ab36e9ad604c32a1a05c2fbc41b0ef827dbf5d6a9578836e19ac20ecfc9efff40087db5b4565f2e876bab4739c8f
-
SSDEEP
12288:bPLu4uxlc+OgHdJ4b+Mrc6vu50rtHPGg43r4dm/PKGPwtvRnnTxsMxD:bPi1usJ4CMrnu5Kug4bowGtZnTxskD
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule F:\rejoice101.exe modiloader_stage2 behavioral2/memory/4376-17-0x0000000000400000-0x00000000004C0000-memory.dmp modiloader_stage2 behavioral2/memory/4112-19-0x0000000000D00000-0x0000000000DC0000-memory.dmp modiloader_stage2 behavioral2/memory/4972-23-0x0000000000400000-0x00000000004C0000-memory.dmp modiloader_stage2 behavioral2/memory/852-22-0x0000000000400000-0x00000000004C0000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
rejoice101.exepid process 852 rejoice101.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exedescription ioc process File opened (read-only) \??\B: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\O: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\T: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\V: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\W: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\Z: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\M: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\S: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\E: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\G: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\H: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\J: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\X: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\A: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\I: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\K: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\L: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\N: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\P: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\Q: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\R: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\U: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened (read-only) \??\Y: 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exedescription ioc process File created C:\AutoRun.inf 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened for modification C:\AutoRun.inf 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File created F:\AutoRun.inf 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened for modification F:\AutoRun.inf 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
Processes:
rejoice101.exedescription ioc process File created C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe File opened for modification C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
rejoice101.exedescription pid process target process PID 852 set thread context of 4376 852 rejoice101.exe calc.exe PID 852 set thread context of 4112 852 rejoice101.exe IEXPLORE.EXE -
Drops file in Program Files directory 3 IoCs
Processes:
0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\DeletSev.bat 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 936 4376 WerFault.exe calc.exe -
Processes:
IEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113885" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D0BF243E-2E90-11EF-90FA-66F8B04B242D} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113885" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113885" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2770439014" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425603473" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2770439014" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2773564458" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IEXPLORE.EXEpid process 4112 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
IEXPLORE.EXEIEXPLORE.EXEpid process 4112 IEXPLORE.EXE 4112 IEXPLORE.EXE 4628 IEXPLORE.EXE 4628 IEXPLORE.EXE 4628 IEXPLORE.EXE 4628 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exerejoice101.exeIEXPLORE.EXEdescription pid process target process PID 4972 wrote to memory of 852 4972 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe rejoice101.exe PID 4972 wrote to memory of 852 4972 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe rejoice101.exe PID 4972 wrote to memory of 852 4972 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe rejoice101.exe PID 852 wrote to memory of 4376 852 rejoice101.exe calc.exe PID 852 wrote to memory of 4376 852 rejoice101.exe calc.exe PID 852 wrote to memory of 4376 852 rejoice101.exe calc.exe PID 852 wrote to memory of 4376 852 rejoice101.exe calc.exe PID 852 wrote to memory of 4376 852 rejoice101.exe calc.exe PID 852 wrote to memory of 4112 852 rejoice101.exe IEXPLORE.EXE PID 852 wrote to memory of 4112 852 rejoice101.exe IEXPLORE.EXE PID 852 wrote to memory of 4112 852 rejoice101.exe IEXPLORE.EXE PID 4972 wrote to memory of 2104 4972 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe cmd.exe PID 4972 wrote to memory of 2104 4972 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe cmd.exe PID 4972 wrote to memory of 2104 4972 0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe cmd.exe PID 4112 wrote to memory of 4628 4112 IEXPLORE.EXE IEXPLORE.EXE PID 4112 wrote to memory of 4628 4112 IEXPLORE.EXE IEXPLORE.EXE PID 4112 wrote to memory of 4628 4112 IEXPLORE.EXE IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 124⤵
- Program crash
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4112 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DeletSev.bat""2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4376 -ip 43761⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Microsoft Shared\MSINFO\DeletSev.batFilesize
212B
MD5d6f59ed1b70d3e10dbd4d65ae19a4fcb
SHA1c3fae3d8d2b122bcb5adb0ae0b9e711283c9870c
SHA256dd65d82e424df12587bfc274eb6863b1510a2b25707f7fd514aad83c6972fb40
SHA51276f978809ae4738b65ed4786b3fa36ae08e6a1e323c5b1718ae9265e652bb24afa26af804cfd9611f4e88340c7fe72abce89a8ad715930532e1fc869a48392f3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QZRYTBAT\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
F:\rejoice101.exeFilesize
739KB
MD50110f4501ad87e14e01626f24a28358c
SHA1fe170c9aa972201cfac09083998e69de52f2a208
SHA256c904070b30dfb20429637044e4dbfd0d1330094934552847fa79fb16122eda7f
SHA512e29b63c4379217cf40491d194fee85e962a0ab36e9ad604c32a1a05c2fbc41b0ef827dbf5d6a9578836e19ac20ecfc9efff40087db5b4565f2e876bab4739c8f
-
memory/852-16-0x0000000002130000-0x0000000002131000-memory.dmpFilesize
4KB
-
memory/852-22-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB
-
memory/4112-19-0x0000000000D00000-0x0000000000DC0000-memory.dmpFilesize
768KB
-
memory/4376-17-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB
-
memory/4972-0-0x0000000002110000-0x0000000002111000-memory.dmpFilesize
4KB
-
memory/4972-23-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB