Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 23:02
Behavioral task
behavioral1
Sample
09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe
-
Size
935KB
-
MD5
09f9e19317c180f9ca5234665494d27e
-
SHA1
00228583d1f1cf87b44ab2b4ce224b6eeafd4e26
-
SHA256
4083cfd7c4e71a102705336eff734b1caff36ffebc0e8121d22e6f58707d1fa7
-
SHA512
4f4e0ee6761383922bbc94de433ff7e6103d9f480b51fa19cb9781fc21f6208977d821292b9e6d6a2d9ddae20491604a30a1ab75951eaa5ce7437b6c0d764a03
-
SSDEEP
24576:mLsFEtvC1GNsG17Oq1vW768k06paN8c42Wlyf4A6:XcvkGNx17Oqw/n6EN8c4/lyf
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/856-11-0x0000000000400000-0x00000000004F1000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
smaka.EXEPARTY_~1.EXEpid process 1492 smaka.EXE 2356 PARTY_~1.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
smaka.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" smaka.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 1 IoCs
Processes:
PARTY_~1.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\OLE1EmbedStrm.wav:Zone.Identifier PARTY_~1.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PARTY_~1.EXEpid process 2356 PARTY_~1.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exesmaka.EXEdescription pid process target process PID 856 wrote to memory of 1492 856 09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe smaka.EXE PID 856 wrote to memory of 1492 856 09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe smaka.EXE PID 1492 wrote to memory of 2356 1492 smaka.EXE PARTY_~1.EXE PID 1492 wrote to memory of 2356 1492 smaka.EXE PARTY_~1.EXE PID 1492 wrote to memory of 2356 1492 smaka.EXE PARTY_~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\smaka.EXE"C:\Users\Admin\AppData\Local\Temp\smaka.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE3⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5c1fff78ef0e5f8ff82e69247f52b331e
SHA1a0ce4d4bbdb9b373be725832952215196ff962fd
SHA256ef3b48ce5b56ce1cbaa0b3a3cdf6be8c81aca6be10adafb5ea3f2c39893d811b
SHA512a5733383a2ab84b4cf46cbb10c422bcdc498053f8b394a672ba669f7dfa128e2f673dee7f90b1da074651e400a761bda9340453d9136bdb3c3f3f53083bd4731
-
Filesize
903KB
MD5ae6af24501520d8e9e069cf6e85fb87a
SHA158168f1960c0c8b3110e5e1d682ce9d00a1b17f4
SHA256da0a0ab047599de47b204359f9ffe81b307025ff53c233efeac32d4841a2ad60
SHA512a8817db8cbbd86adce2083110fd54faef28ccd1786417f493b3a8f8e6b6a2ed5340b5458c186f638e6d416359589924b29f479facc06ee1f838b456b4fb23ee5