Analysis
-
max time kernel
139s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 19:00
Behavioral task
behavioral1
Sample
0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
-
Size
735KB
-
MD5
0011ab6aa3a9e60818f1f9ed52ad2ba4
-
SHA1
2f02682435f4cca4db253ce5cf62681e1fcdaac4
-
SHA256
dc9b0fde10b71811649cacff9df5f4dd3ae6bdad9c0a15a61a08307b3ef85ae9
-
SHA512
6dca42276c2f2e4a5f572cb0ce99641a134a7b19f0a8bb4e319f23bf5aca7deccfcb5090a150f041b6b55324a590d29dc76e5a6b698c1e77cc6a52a67eda40d0
-
SSDEEP
12288:LmX53uzH4EDA3IVOT7kb66rQ8DOs+BPWx7u+88YwXThK:Lm5mH4HIVOT7y6n2KBqC3wXTs
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule F:\WINSYS.exe modiloader_stage2 behavioral2/memory/1396-16-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral2/memory/3748-18-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
WINSYS.exepid process 1396 WINSYS.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exedescription ioc process File opened (read-only) \??\X: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\N: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\P: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\S: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\U: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\T: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\Y: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\E: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\I: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\K: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\M: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\V: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\W: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\A: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\J: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\L: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\Q: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\R: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\Z: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\B: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\G: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\H: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened (read-only) \??\O: 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exedescription ioc process File opened for modification C:\AutoRun.inf 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File created F:\AutoRun.inf 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened for modification F:\AutoRun.inf 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File created C:\AutoRun.inf 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exeWINSYS.exedescription ioc process File created C:\Windows\SysWOW64\WINSYS.exe 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WINSYS.exe 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WINSYS.exe WINSYS.exe File created C:\Windows\SysWOW64\SgotoDel.bat 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exedescription pid process target process PID 3748 wrote to memory of 1396 3748 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe WINSYS.exe PID 3748 wrote to memory of 1396 3748 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe WINSYS.exe PID 3748 wrote to memory of 1396 3748 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe WINSYS.exe PID 3748 wrote to memory of 712 3748 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe cmd.exe PID 3748 wrote to memory of 712 3748 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe cmd.exe PID 3748 wrote to memory of 712 3748 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WINSYS.exeC:\Windows\system32\WINSYS.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\SgotoDel.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\SgotoDel.batFilesize
212B
MD55b053b7070308a45bd73a0dec287e9a5
SHA1e0d0d334e01600823acab55ba2a2fae361628222
SHA256977cc3a8e8af5da50b463841f7b8ce81dd05b07ed7959b98dde00d70cd293097
SHA51264c1778e97d4a3f39f26b5bd82d7e4bfbf038cd61a7a2c766d3a77c8872703b53619c7a70d9948416e899fd2845d22b9487f52e153f824942b599c5ed5171880
-
F:\WINSYS.exeFilesize
735KB
MD50011ab6aa3a9e60818f1f9ed52ad2ba4
SHA12f02682435f4cca4db253ce5cf62681e1fcdaac4
SHA256dc9b0fde10b71811649cacff9df5f4dd3ae6bdad9c0a15a61a08307b3ef85ae9
SHA5126dca42276c2f2e4a5f572cb0ce99641a134a7b19f0a8bb4e319f23bf5aca7deccfcb5090a150f041b6b55324a590d29dc76e5a6b698c1e77cc6a52a67eda40d0
-
memory/1396-14-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/1396-16-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/3748-0-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/3748-18-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB