Analysis
-
max time kernel
51s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 21:36
Static task
static1
Behavioral task
behavioral1
Sample
097d297d04200e1094a2ca5694303587_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
097d297d04200e1094a2ca5694303587_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
097d297d04200e1094a2ca5694303587_JaffaCakes118.exe
-
Size
636KB
-
MD5
097d297d04200e1094a2ca5694303587
-
SHA1
ffae1a3f4e314d6f7783fff3b70ba638e8653131
-
SHA256
09fa9e5b270fb1e33ade2295bd56dd00194013f5b42e8618ed8eb733798290ef
-
SHA512
d1238e5430360f83ad8c32527657e819af356d5ac8fd6f958a3751ca0d8cf6b754b95f352d658dd1da7596a13aed8f8a74269ef676366281b62002b24b57d604
-
SSDEEP
12288:LJkV9+yzCWv4nS+MPxcnc5g/ftF3Z4mxxz7Zm1jGmYae4mrRO:VSBrvRDPyc5g3tQmXzlmlGmI4
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2100-44-0x0000000000400000-0x000000000051D000-memory.dmp modiloader_stage2 behavioral2/memory/3916-47-0x0000000000400000-0x000000000051D000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
rejoice101.exepid process 3916 rejoice101.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
097d297d04200e1094a2ca5694303587_JaffaCakes118.exedescription ioc process File opened (read-only) \??\K: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\L: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\N: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\R: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\X: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\A: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\E: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\H: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\S: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\U: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\W: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\Y: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\B: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\J: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\O: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\P: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\T: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\I: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\M: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\Q: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\V: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\Z: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened (read-only) \??\G: 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
097d297d04200e1094a2ca5694303587_JaffaCakes118.exedescription ioc process File opened for modification F:\AutoRun.inf 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File created C:\AutoRun.inf 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened for modification C:\AutoRun.inf 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File created F:\AutoRun.inf 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe -
Drops file in Windows directory 5 IoCs
Processes:
rejoice101.exe097d297d04200e1094a2ca5694303587_JaffaCakes118.exedescription ioc process File created C:\Windows\_rejoice101.exe rejoice101.exe File opened for modification C:\Windows\_rejoice101.exe rejoice101.exe File created C:\Windows\DelSvel.bat 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File created C:\Windows\rejoice101.exe 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe File opened for modification C:\Windows\rejoice101.exe 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3680 3916 WerFault.exe rejoice101.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
097d297d04200e1094a2ca5694303587_JaffaCakes118.exerejoice101.exedescription pid process target process PID 2100 wrote to memory of 3916 2100 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe rejoice101.exe PID 2100 wrote to memory of 3916 2100 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe rejoice101.exe PID 2100 wrote to memory of 3916 2100 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe rejoice101.exe PID 3916 wrote to memory of 1380 3916 rejoice101.exe calc.exe PID 3916 wrote to memory of 1380 3916 rejoice101.exe calc.exe PID 3916 wrote to memory of 1380 3916 rejoice101.exe calc.exe PID 2100 wrote to memory of 3688 2100 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe cmd.exe PID 2100 wrote to memory of 3688 2100 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe cmd.exe PID 2100 wrote to memory of 3688 2100 097d297d04200e1094a2ca5694303587_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\097d297d04200e1094a2ca5694303587_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\rejoice101.exeC:\Windows\rejoice101.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:1380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 6803⤵
- Program crash
PID:3680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\DelSvel.bat2⤵PID:3688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3916 -ip 39161⤵PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD59c6aa0178ed69baf465d5c56165677d8
SHA1e0ecec3a676b3e50255e601d5c12d738857e1557
SHA256d259521aebc4733592ec7ee5baba7f9dc64aa670b61945e755c0cee38e5f15b9
SHA51227d2cef660399fababd6b1f4918fb04cc3b10b3410962ca732748d802bce14ea3e77bb6ffa798ce321bed6acacb893a3d6865698c678ab31cb950afea6c5aa07
-
Filesize
636KB
MD5097d297d04200e1094a2ca5694303587
SHA1ffae1a3f4e314d6f7783fff3b70ba638e8653131
SHA25609fa9e5b270fb1e33ade2295bd56dd00194013f5b42e8618ed8eb733798290ef
SHA512d1238e5430360f83ad8c32527657e819af356d5ac8fd6f958a3751ca0d8cf6b754b95f352d658dd1da7596a13aed8f8a74269ef676366281b62002b24b57d604