Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
20-06-2024 02:35
General
-
Target
021528e3281374358cf58f61cb99d483_JaffaCakes118.exe
-
Size
629KB
-
MD5
021528e3281374358cf58f61cb99d483
-
SHA1
9daf380cf5a2e021dae18cd6d60e2d80a394b1e7
-
SHA256
7642560eee720a02704b72ae3fff541db3d4c84ad4db3de3b7b75e75f7374a1b
-
SHA512
cf038c7a74dcc349f4d31ab1db17be433e008ce07bcf01650144b5d736cc2b21e5a5ce7b90caa1c54b111eeb2d9c411ab72d26cc81d4099d7620f42391779a5f
-
SSDEEP
12288:Xzr/8Qq3o236iRXpcSO45+dUKutF3Z4mxxNwttfoOlMDwa4SMfhq:cQq3P3t3O45+q9tQmXktRll7rq
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Program crash 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\021528e3281374358cf58f61cb99d483_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\021528e3281374358cf58f61cb99d483_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\Microsoft Shared\MSINFO\FileManager.cmd"C:\Program Files\Common Files\Microsoft Shared\MSINFO\FileManager.cmd"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 6843⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 596 -ip 5961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5100 -ip 51001⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1304,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.batFilesize
212B
MD58444990a9afcab9cc71a5e3b0a997a02
SHA1bce747e36283df96d7411551a2dd4f381131ea88
SHA256a20e2a7eeaf94d8c8e5769996dafa1025c859199d40760065d518baa412223cb
SHA512bed30e2c5508b3f7208a6b9ab683d443ad4be810794f1375169769e97a75854a204d3ca4b77cbd385a95d4d85d58514fed0024cd537fa7bdd475f7c6535ec2ed
-
F:\FileManager.cmdFilesize
629KB
MD5021528e3281374358cf58f61cb99d483
SHA19daf380cf5a2e021dae18cd6d60e2d80a394b1e7
SHA2567642560eee720a02704b72ae3fff541db3d4c84ad4db3de3b7b75e75f7374a1b
SHA512cf038c7a74dcc349f4d31ab1db17be433e008ce07bcf01650144b5d736cc2b21e5a5ce7b90caa1c54b111eeb2d9c411ab72d26cc81d4099d7620f42391779a5f
-
memory/596-47-0x0000000002060000-0x00000000020B4000-memory.dmpFilesize
336KB
-
memory/596-46-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/596-34-0x0000000002060000-0x00000000020B4000-memory.dmpFilesize
336KB
-
memory/2944-14-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2944-3-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/2944-0-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/2944-13-0x00000000035C0000-0x00000000035C1000-memory.dmpFilesize
4KB
-
memory/2944-12-0x00000000034C0000-0x00000000034C3000-memory.dmpFilesize
12KB
-
memory/2944-11-0x00000000034D0000-0x00000000034D1000-memory.dmpFilesize
4KB
-
memory/2944-10-0x00000000024E0000-0x00000000024E1000-memory.dmpFilesize
4KB
-
memory/2944-9-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/2944-8-0x0000000002520000-0x0000000002521000-memory.dmpFilesize
4KB
-
memory/2944-7-0x0000000002530000-0x0000000002531000-memory.dmpFilesize
4KB
-
memory/2944-6-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/2944-5-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/2944-4-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/2944-16-0x0000000003500000-0x0000000003501000-memory.dmpFilesize
4KB
-
memory/2944-2-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/2944-20-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB
-
memory/2944-17-0x00000000034F0000-0x00000000034F1000-memory.dmpFilesize
4KB
-
memory/2944-18-0x00000000034E0000-0x00000000034E1000-memory.dmpFilesize
4KB
-
memory/2944-1-0x00000000022F0000-0x0000000002344000-memory.dmpFilesize
336KB
-
memory/2944-41-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/2944-43-0x0000000003530000-0x0000000003531000-memory.dmpFilesize
4KB
-
memory/2944-44-0x00000000022F0000-0x0000000002344000-memory.dmpFilesize
336KB
-
memory/2944-42-0x0000000003540000-0x0000000003541000-memory.dmpFilesize
4KB
-
memory/2944-19-0x0000000003550000-0x0000000003551000-memory.dmpFilesize
4KB
-
memory/2944-15-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB
-
memory/5100-37-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB