Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 23:02
Behavioral task
behavioral1
Sample
09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe
-
Size
935KB
-
MD5
09f9e19317c180f9ca5234665494d27e
-
SHA1
00228583d1f1cf87b44ab2b4ce224b6eeafd4e26
-
SHA256
4083cfd7c4e71a102705336eff734b1caff36ffebc0e8121d22e6f58707d1fa7
-
SHA512
4f4e0ee6761383922bbc94de433ff7e6103d9f480b51fa19cb9781fc21f6208977d821292b9e6d6a2d9ddae20491604a30a1ab75951eaa5ce7437b6c0d764a03
-
SSDEEP
24576:mLsFEtvC1GNsG17Oq1vW768k06paN8c42Wlyf4A6:XcvkGNx17Oqw/n6EN8c4/lyf
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1884-5-0x0000000000400000-0x00000000004F1000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
Processes:
smaka.EXEPARTY_~1.EXEpid process 2040 smaka.EXE 1172 2680 PARTY_~1.EXE -
Loads dropped DLL 1 IoCs
Processes:
09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exepid process 1884 09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
smaka.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" smaka.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PARTY_~1.EXEpid process 2680 PARTY_~1.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exesmaka.EXEdescription pid process target process PID 1884 wrote to memory of 2040 1884 09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe smaka.EXE PID 1884 wrote to memory of 2040 1884 09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe smaka.EXE PID 1884 wrote to memory of 2040 1884 09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe smaka.EXE PID 1884 wrote to memory of 2040 1884 09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe smaka.EXE PID 2040 wrote to memory of 2680 2040 smaka.EXE PARTY_~1.EXE PID 2040 wrote to memory of 2680 2040 smaka.EXE PARTY_~1.EXE PID 2040 wrote to memory of 2680 2040 smaka.EXE PARTY_~1.EXE PID 2040 wrote to memory of 2680 2040 smaka.EXE PARTY_~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\smaka.EXE"C:\Users\Admin\AppData\Local\Temp\smaka.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5c1fff78ef0e5f8ff82e69247f52b331e
SHA1a0ce4d4bbdb9b373be725832952215196ff962fd
SHA256ef3b48ce5b56ce1cbaa0b3a3cdf6be8c81aca6be10adafb5ea3f2c39893d811b
SHA512a5733383a2ab84b4cf46cbb10c422bcdc498053f8b394a672ba669f7dfa128e2f673dee7f90b1da074651e400a761bda9340453d9136bdb3c3f3f53083bd4731
-
Filesize
903KB
MD5ae6af24501520d8e9e069cf6e85fb87a
SHA158168f1960c0c8b3110e5e1d682ce9d00a1b17f4
SHA256da0a0ab047599de47b204359f9ffe81b307025ff53c233efeac32d4841a2ad60
SHA512a8817db8cbbd86adce2083110fd54faef28ccd1786417f493b3a8f8e6b6a2ed5340b5458c186f638e6d416359589924b29f479facc06ee1f838b456b4fb23ee5