Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 21:12
Behavioral task
behavioral1
Sample
00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe
-
Size
725KB
-
MD5
00847a86f1a44be5289bb40835a2691a
-
SHA1
2187da3685b422c84704dadec0329041c21be0d7
-
SHA256
19406ad720fb45336138b85ee6c86fcdd27890ac3ffc814228a2bbe1d1d79d11
-
SHA512
96bd9d87ad0f8929cf55d6d420ccfaf3a15446f83c3aec68cb50ee864bb98be95257013f7e0b531e9a6076af9d97b90adceca70703e992f523d7c6995bf3f050
-
SSDEEP
12288:ItS5RTQ7aT7YilhjzAF4gv6tLbAfyI0xkaa+5jqJeAT9gH:4c22T7BRS46kbAfyWMjqMATCH
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4948-2-0x0000000000C50000-0x0000000000D0C000-memory.dmp modiloader_stage2 behavioral2/memory/4776-3-0x0000000000400000-0x00000000004BC000-memory.dmp modiloader_stage2 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exedescription pid process target process PID 4776 set thread context of 4948 4776 00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe IEXPLORE.EXE -
Drops file in Windows directory 1 IoCs
Processes:
00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exedescription ioc process File created C:\Windows\FieleWay.txt 00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe -
Processes:
IEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113869" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2300067240" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B4A2C52D-2E80-11EF-86EC-F2F05A85BDCE} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113869" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425596553" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2301629933" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2301629933" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2300067240" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113869" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113869" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IEXPLORE.EXEpid process 4948 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
IEXPLORE.EXEIEXPLORE.EXEpid process 4948 IEXPLORE.EXE 4948 IEXPLORE.EXE 2996 IEXPLORE.EXE 2996 IEXPLORE.EXE 2996 IEXPLORE.EXE 2996 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exeIEXPLORE.EXEdescription pid process target process PID 4776 wrote to memory of 4948 4776 00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe IEXPLORE.EXE PID 4776 wrote to memory of 4948 4776 00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe IEXPLORE.EXE PID 4776 wrote to memory of 4948 4776 00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe IEXPLORE.EXE PID 4948 wrote to memory of 2996 4948 IEXPLORE.EXE IEXPLORE.EXE PID 4948 wrote to memory of 2996 4948 IEXPLORE.EXE IEXPLORE.EXE PID 4948 wrote to memory of 2996 4948 IEXPLORE.EXE IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4948 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5a20dcdd581a69f44e7dcbeeab5084fb4
SHA161e152b89ab8a04af1843bbfee557d193924ec51
SHA256009768e52ded8da33ac7d96d521e882eef9765278997f2ce47311f637696d9c7
SHA51277de84bf9c5480e704991bc16d8f555dc10891e3a5a7044fe2b133cc49d20ebb78c68bbdd4c9a4acd8e7424bce28a00bd3651f3b852a2a726f3f879a741cc7ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD50e519fa6c861ca3f581448ccf547fc36
SHA1a148f4c7f3f0c5ab2b89a4cb0a711a7d42f19984
SHA2565bdae3b80bda43457dfb56846b3245c9e135e6c634530fc9f5fd9c0e842895dc
SHA512a4b7910e9ac99be865054fabf3fe8f3e24f26d4b3454f12656b84b408470dc32e91d3e1b0256853e6a05a332d481bee1e888d3412ac9c7617ed05504867c164a
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE36B.tmpFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GU2A83AM\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
memory/4776-0-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/4776-3-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/4948-2-0x0000000000C50000-0x0000000000D0C000-memory.dmpFilesize
752KB