Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 15:26
Behavioral task
behavioral1
Sample
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe
-
Size
90KB
-
MD5
074391e6f0bdc130acd14ac879ee7a8c
-
SHA1
6f4e95fa6f2beb5e9c6009727768c4f7b85cb517
-
SHA256
69a7526ed322f3919a210772bb0d2d8b2a4ce2a61caee4b170a37d646f97622c
-
SHA512
16672c5b7d532493f7ac7af45abc596bc4af40948a6179b1222166f31c9dbfda7eaedac147d649a4aae95526b45dc3327f7d4381ec6144e05af158527e01c423
-
SSDEEP
1536:mcHA5dZuvrKA1r4Jwwi55dlvo89UBYKpJ0pHWG7m9pAsiyRlIm3UKLgirOdYy/:mcg7UrKqUwflAZYKX6aAsiyZxTuY
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 16 IoCs
Processes:
resource yara_rule behavioral1/memory/2932-13-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-16-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-17-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-18-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-19-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-20-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-21-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-22-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-23-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-24-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-25-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-26-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-27-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-28-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-29-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/2260-30-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
msmgrs.exepid process 2260 msmgrs.exe -
Drops startup file 2 IoCs
Processes:
msmgrs.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntdll.lnk msmgrs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntdll.lnk msmgrs.exe -
Executes dropped EXE 1 IoCs
Processes:
msmgrs.exepid process 2260 msmgrs.exe -
Loads dropped DLL 2 IoCs
Processes:
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exepid process 2932 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe 2932 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2932-0-0x0000000000400000-0x000000000043C000-memory.dmp upx \Windows\SysWOW64\wins\setup\msmgrs.exe upx behavioral1/memory/2932-13-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-14-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2932-9-0x0000000002F10000-0x0000000002F4C000-memory.dmp upx behavioral1/memory/2260-16-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-17-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-18-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-19-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-20-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-21-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-22-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-23-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-24-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-25-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-26-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-27-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-28-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-29-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2260-30-0x0000000000400000-0x000000000043C000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\wins\setup\msmgrs.exe 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wins\setup\msmgrs.exe 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exemsmgrs.exepid process 2932 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe 2932 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe 2260 msmgrs.exe 2260 msmgrs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exemsmgrs.execmd.execmd.exedescription pid process target process PID 2932 wrote to memory of 2260 2932 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe msmgrs.exe PID 2932 wrote to memory of 2260 2932 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe msmgrs.exe PID 2932 wrote to memory of 2260 2932 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe msmgrs.exe PID 2932 wrote to memory of 2260 2932 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe msmgrs.exe PID 2260 wrote to memory of 2688 2260 msmgrs.exe cmd.exe PID 2260 wrote to memory of 2688 2260 msmgrs.exe cmd.exe PID 2260 wrote to memory of 2688 2260 msmgrs.exe cmd.exe PID 2260 wrote to memory of 2688 2260 msmgrs.exe cmd.exe PID 2260 wrote to memory of 2760 2260 msmgrs.exe cmd.exe PID 2260 wrote to memory of 2760 2260 msmgrs.exe cmd.exe PID 2260 wrote to memory of 2760 2260 msmgrs.exe cmd.exe PID 2260 wrote to memory of 2760 2260 msmgrs.exe cmd.exe PID 2760 wrote to memory of 2768 2760 cmd.exe regsvr32.exe PID 2760 wrote to memory of 2768 2760 cmd.exe regsvr32.exe PID 2760 wrote to memory of 2768 2760 cmd.exe regsvr32.exe PID 2688 wrote to memory of 2000 2688 cmd.exe regsvr32.exe PID 2760 wrote to memory of 2768 2760 cmd.exe regsvr32.exe PID 2688 wrote to memory of 2000 2688 cmd.exe regsvr32.exe PID 2760 wrote to memory of 2768 2760 cmd.exe regsvr32.exe PID 2760 wrote to memory of 2768 2760 cmd.exe regsvr32.exe PID 2688 wrote to memory of 2000 2688 cmd.exe regsvr32.exe PID 2760 wrote to memory of 2768 2760 cmd.exe regsvr32.exe PID 2688 wrote to memory of 2000 2688 cmd.exe regsvr32.exe PID 2688 wrote to memory of 2000 2688 cmd.exe regsvr32.exe PID 2688 wrote to memory of 2000 2688 cmd.exe regsvr32.exe PID 2688 wrote to memory of 2000 2688 cmd.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\wins\setup\msmgrs.exe"C:\Windows\system32\wins\setup\msmgrs.exe"2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.execmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/JaguarEditControl.dll3⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /u /s C:\Windows/"Downloaded Program Files"/JaguarEditControl.dll4⤵PID:2000
-
C:\Windows\SysWOW64\cmd.execmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/tebedit.ocx3⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /u /s C:\Windows/"Downloaded Program Files"/tebedit.ocx4⤵PID:2768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5074391e6f0bdc130acd14ac879ee7a8c
SHA16f4e95fa6f2beb5e9c6009727768c4f7b85cb517
SHA25669a7526ed322f3919a210772bb0d2d8b2a4ce2a61caee4b170a37d646f97622c
SHA51216672c5b7d532493f7ac7af45abc596bc4af40948a6179b1222166f31c9dbfda7eaedac147d649a4aae95526b45dc3327f7d4381ec6144e05af158527e01c423