Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 23:02

General

  • Target

    09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe

  • Size

    935KB

  • MD5

    09f9e19317c180f9ca5234665494d27e

  • SHA1

    00228583d1f1cf87b44ab2b4ce224b6eeafd4e26

  • SHA256

    4083cfd7c4e71a102705336eff734b1caff36ffebc0e8121d22e6f58707d1fa7

  • SHA512

    4f4e0ee6761383922bbc94de433ff7e6103d9f480b51fa19cb9781fc21f6208977d821292b9e6d6a2d9ddae20491604a30a1ab75951eaa5ce7437b6c0d764a03

  • SSDEEP

    24576:mLsFEtvC1GNsG17Oq1vW768k06paN8c42Wlyf4A6:XcvkGNx17Oqw/n6EN8c4/lyf

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Users\Admin\AppData\Local\Temp\smaka.EXE
      "C:\Users\Admin\AppData\Local\Temp\smaka.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE
        3⤵
        • Executes dropped EXE
        • NTFS ADS
        • Suspicious use of SetWindowsHookEx
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE

    Filesize

    4.0MB

    MD5

    c1fff78ef0e5f8ff82e69247f52b331e

    SHA1

    a0ce4d4bbdb9b373be725832952215196ff962fd

    SHA256

    ef3b48ce5b56ce1cbaa0b3a3cdf6be8c81aca6be10adafb5ea3f2c39893d811b

    SHA512

    a5733383a2ab84b4cf46cbb10c422bcdc498053f8b394a672ba669f7dfa128e2f673dee7f90b1da074651e400a761bda9340453d9136bdb3c3f3f53083bd4731

  • C:\Users\Admin\AppData\Local\Temp\smaka.EXE

    Filesize

    903KB

    MD5

    ae6af24501520d8e9e069cf6e85fb87a

    SHA1

    58168f1960c0c8b3110e5e1d682ce9d00a1b17f4

    SHA256

    da0a0ab047599de47b204359f9ffe81b307025ff53c233efeac32d4841a2ad60

    SHA512

    a8817db8cbbd86adce2083110fd54faef28ccd1786417f493b3a8f8e6b6a2ed5340b5458c186f638e6d416359589924b29f479facc06ee1f838b456b4fb23ee5

  • memory/856-11-0x0000000000400000-0x00000000004F1000-memory.dmp

    Filesize

    964KB