Analysis
-
max time kernel
143s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 21:36
Static task
static1
Behavioral task
behavioral1
Sample
097d297d04200e1094a2ca5694303587_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
097d297d04200e1094a2ca5694303587_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
097d297d04200e1094a2ca5694303587_JaffaCakes118.exe
-
Size
636KB
-
MD5
097d297d04200e1094a2ca5694303587
-
SHA1
ffae1a3f4e314d6f7783fff3b70ba638e8653131
-
SHA256
09fa9e5b270fb1e33ade2295bd56dd00194013f5b42e8618ed8eb733798290ef
-
SHA512
d1238e5430360f83ad8c32527657e819af356d5ac8fd6f958a3751ca0d8cf6b754b95f352d658dd1da7596a13aed8f8a74269ef676366281b62002b24b57d604
-
SSDEEP
12288:LJkV9+yzCWv4nS+MPxcnc5g/ftF3Z4mxxz7Zm1jGmYae4mrRO:VSBrvRDPyc5g3tQmXzlmlGmI4
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1672-50-0x0000000000400000-0x000000000051D000-memory.dmp modiloader_stage2 behavioral1/memory/2664-54-0x0000000000400000-0x000000000051D000-memory.dmp modiloader_stage2 behavioral1/memory/1672-69-0x0000000000400000-0x000000000051D000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 472 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
rejoice101.exepid process 2664 rejoice101.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
097d297d04200e1094a2ca5694303587_JaffaCakes118.exedescription ioc process File opened (read-only) \??\K: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\M: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\X: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\Y: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\B: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\Q: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\R: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\S: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\E: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\G: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\I: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\U: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\V: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\T: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\A: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\H: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\J: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\L: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\N: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\O: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\P: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\W: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\Z: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
097d297d04200e1094a2ca5694303587_JaffaCakes118.exedescription ioc process File created F:\AutoRun.inf 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened for modification F:\AutoRun.inf 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File created C:\AutoRun.inf 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened for modification C:\AutoRun.inf 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rejoice101.exedescription pid process target process PID 2664 set thread context of 2972 2664 rejoice101.exe calc.exe -
Drops file in Windows directory 5 IoCs
Processes:
097d297d04200e1094a2ca5694303587_JaffaCakes118.exerejoice101.exedescription ioc process File created C:\Windows\rejoice101.exe 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened for modification C:\Windows\rejoice101.exe 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File created C:\Windows\_rejoice101.exe rejoice101.exe File opened for modification C:\Windows\_rejoice101.exe rejoice101.exe File created C:\Windows\DelSvel.bat 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2356 2664 WerFault.exe rejoice101.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
097d297d04200e1094a2ca5694303587_JaffaCakes118.exerejoice101.exedescription pid process target process PID 1672 wrote to memory of 2664 1672 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe rejoice101.exe PID 1672 wrote to memory of 2664 1672 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe rejoice101.exe PID 1672 wrote to memory of 2664 1672 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe rejoice101.exe PID 1672 wrote to memory of 2664 1672 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe rejoice101.exe PID 2664 wrote to memory of 2972 2664 rejoice101.exe calc.exe PID 2664 wrote to memory of 2972 2664 rejoice101.exe calc.exe PID 2664 wrote to memory of 2972 2664 rejoice101.exe calc.exe PID 2664 wrote to memory of 2972 2664 rejoice101.exe calc.exe PID 2664 wrote to memory of 2972 2664 rejoice101.exe calc.exe PID 2664 wrote to memory of 2972 2664 rejoice101.exe calc.exe PID 2664 wrote to memory of 2356 2664 rejoice101.exe WerFault.exe PID 2664 wrote to memory of 2356 2664 rejoice101.exe WerFault.exe PID 2664 wrote to memory of 2356 2664 rejoice101.exe WerFault.exe PID 2664 wrote to memory of 2356 2664 rejoice101.exe WerFault.exe PID 1672 wrote to memory of 472 1672 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe cmd.exe PID 1672 wrote to memory of 472 1672 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe cmd.exe PID 1672 wrote to memory of 472 1672 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe cmd.exe PID 1672 wrote to memory of 472 1672 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\rejoice101.exeC:\Windows\rejoice101.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 3203⤵
- Program crash
PID:2356 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\DelSvel.bat2⤵
- Deletes itself
PID:472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD59c6aa0178ed69baf465d5c56165677d8
SHA1e0ecec3a676b3e50255e601d5c12d738857e1557
SHA256d259521aebc4733592ec7ee5baba7f9dc64aa670b61945e755c0cee38e5f15b9
SHA51227d2cef660399fababd6b1f4918fb04cc3b10b3410962ca732748d802bce14ea3e77bb6ffa798ce321bed6acacb893a3d6865698c678ab31cb950afea6c5aa07
-
Filesize
636KB
MD5097d297d04200e1094a2ca5694303587
SHA1ffae1a3f4e314d6f7783fff3b70ba638e8653131
SHA25609fa9e5b270fb1e33ade2295bd56dd00194013f5b42e8618ed8eb733798290ef
SHA512d1238e5430360f83ad8c32527657e819af356d5ac8fd6f958a3751ca0d8cf6b754b95f352d658dd1da7596a13aed8f8a74269ef676366281b62002b24b57d604