Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 15:02

General

  • Target

    0714394b7db4db09309ee67096723c0e_JaffaCakes118.exe

  • Size

    726KB

  • MD5

    0714394b7db4db09309ee67096723c0e

  • SHA1

    7903c3111ec507cf266ef88c8ce42145ffca3d10

  • SHA256

    ae78f1813c96535532be71ac89259f51b7b84edbaf9fcd2f97db58af04e06e1a

  • SHA512

    96bf8c44011a0fba5366c017bfa27f19c4d7374b6e1625b8ad11d26d14ddb3998d5ba493186fe0a4a1c85a0de6ac5ae913fb5a38ef5005e027978050f5f62993

  • SSDEEP

    12288:F8k37stBEScWoGdqDkg16l9xneL73U9sPG7SGzJkZqTYEH4K:F8kL0BfTdqDktl3cA+6zJcqTY4b

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0714394b7db4db09309ee67096723c0e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0714394b7db4db09309ee67096723c0e_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops autorun.inf file
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • F:\AutoRun.inf

    Filesize

    81B

    MD5

    400209ebd824aeeb7633f6640322e89d

    SHA1

    e7d7e83f618e9ffcce5c332992fe34dbd8be9ce8

    SHA256

    e7c5b1bccffef005c0da369a4bc1ce6beafff8298b3d253bb6b1dabd672b304d

    SHA512

    e046c0662d5f2ba9399278102ff8fcf685ea13a63980ebb85898ad23ab67e620e2264a07d88b5a6e33d34d9263eaabc7cde921621f1efefbaec5b54a7af948c0

  • memory/1984-13-0x0000000000060000-0x000000000011C000-memory.dmp

    Filesize

    752KB

  • memory/2344-14-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB