Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
20-06-2024 01:57
General
-
Target
01d9ffdb220aa6f360d525ce7518d692_JaffaCakes118.exe
-
Size
620KB
-
MD5
01d9ffdb220aa6f360d525ce7518d692
-
SHA1
a009b9f4874ad89bdfdd9d8ff7d79f7e42565559
-
SHA256
9a3a9a5affc805170ca3458b622381e04fbac6f63fa0d853b8f5f0ab5380c33b
-
SHA512
a5721e115c2cc65f5fe5b09f24ac7b3235229b569b27f97422b35be9ccb95070d86048b5da976ebc7c20097b706140443c560cc03cb1202a5c4debfb1fc6cb36
-
SSDEEP
12288:15++2mUoq1xYqWnhIz6j0QF3Z4mxxPBOL9h+r93KyEfT:15KmUo0YqWniz6j0QQmXPukr9cfT
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Program crash 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\01d9ffdb220aa6f360d525ce7518d692_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01d9ffdb220aa6f360d525ce7518d692_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se101.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se101.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 124⤵
- Program crash
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 6923⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3296 -ip 32961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 604 -ip 6041⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.batFilesize
212B
MD504da0350a83c6bc9d49c16a6b9f1b83b
SHA1f7657b7dcbdb8370e4504e1309eb7acc9be03386
SHA256500e575977c1d560449682e65bde279bfa038a697c2468aff8b6fbace5e49aea
SHA512bd26d0dfdba4eebdfbb259ea923d069e49d00dc89a5e2ec35ca26a2a9247f7c079bd15017c18ac4fb8b4fdaab982bbc71d8e87f393dc19680764ffbaf1cff172
-
F:\Se101.exeFilesize
620KB
MD501d9ffdb220aa6f360d525ce7518d692
SHA1a009b9f4874ad89bdfdd9d8ff7d79f7e42565559
SHA2569a3a9a5affc805170ca3458b622381e04fbac6f63fa0d853b8f5f0ab5380c33b
SHA512a5721e115c2cc65f5fe5b09f24ac7b3235229b569b27f97422b35be9ccb95070d86048b5da976ebc7c20097b706140443c560cc03cb1202a5c4debfb1fc6cb36
-
memory/604-53-0x0000000000400000-0x000000000051B000-memory.dmpFilesize
1.1MB
-
memory/604-43-0x0000000000400000-0x000000000051B000-memory.dmpFilesize
1.1MB
-
memory/1576-4-0x00000000023F0000-0x00000000023F1000-memory.dmpFilesize
4KB
-
memory/1576-22-0x0000000000400000-0x000000000051B000-memory.dmpFilesize
1.1MB
-
memory/1576-16-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/1576-15-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/1576-14-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/1576-13-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/1576-12-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/1576-11-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/1576-10-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/1576-9-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/1576-8-0x00000000023C0000-0x00000000023C1000-memory.dmpFilesize
4KB
-
memory/1576-7-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/1576-6-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/1576-5-0x0000000002370000-0x0000000002371000-memory.dmpFilesize
4KB
-
memory/1576-0-0x0000000000400000-0x000000000051B000-memory.dmpFilesize
1.1MB
-
memory/1576-3-0x0000000002390000-0x0000000002391000-memory.dmpFilesize
4KB
-
memory/1576-2-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1576-17-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/1576-26-0x00000000033D0000-0x00000000033D1000-memory.dmpFilesize
4KB
-
memory/1576-27-0x00000000033E0000-0x00000000033E1000-memory.dmpFilesize
4KB
-
memory/1576-25-0x00000000033B0000-0x00000000033B1000-memory.dmpFilesize
4KB
-
memory/1576-24-0x00000000033C0000-0x00000000033C1000-memory.dmpFilesize
4KB
-
memory/1576-23-0x00000000033A0000-0x00000000033A1000-memory.dmpFilesize
4KB
-
memory/1576-21-0x0000000003350000-0x0000000003352000-memory.dmpFilesize
8KB
-
memory/1576-29-0x0000000000400000-0x000000000051B000-memory.dmpFilesize
1.1MB
-
memory/1576-28-0x00000000004C5000-0x00000000004C6000-memory.dmpFilesize
4KB
-
memory/1576-18-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/1576-19-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/1576-1-0x0000000002090000-0x00000000020E4000-memory.dmpFilesize
336KB
-
memory/1576-50-0x0000000000400000-0x000000000051B000-memory.dmpFilesize
1.1MB
-
memory/1576-51-0x0000000002090000-0x00000000020E4000-memory.dmpFilesize
336KB
-
memory/1576-20-0x0000000003350000-0x0000000003351000-memory.dmpFilesize
4KB
-
memory/3296-46-0x0000000000400000-0x000000000051B000-memory.dmpFilesize
1.1MB