Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 15:26
Behavioral task
behavioral1
Sample
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe
-
Size
90KB
-
MD5
074391e6f0bdc130acd14ac879ee7a8c
-
SHA1
6f4e95fa6f2beb5e9c6009727768c4f7b85cb517
-
SHA256
69a7526ed322f3919a210772bb0d2d8b2a4ce2a61caee4b170a37d646f97622c
-
SHA512
16672c5b7d532493f7ac7af45abc596bc4af40948a6179b1222166f31c9dbfda7eaedac147d649a4aae95526b45dc3327f7d4381ec6144e05af158527e01c423
-
SSDEEP
1536:mcHA5dZuvrKA1r4Jwwi55dlvo89UBYKpJ0pHWG7m9pAsiyRlIm3UKLgirOdYy/:mcg7UrKqUwflAZYKX6aAsiyZxTuY
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 15 IoCs
Processes:
resource yara_rule behavioral2/memory/4292-9-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-11-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-12-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-13-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-14-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-15-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-16-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-17-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-18-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-19-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-20-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-21-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-22-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-23-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral2/memory/4372-24-0x0000000000400000-0x000000000043C000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
msmgrs.exepid process 4372 msmgrs.exe -
Drops startup file 2 IoCs
Processes:
msmgrs.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntdll.lnk msmgrs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntdll.lnk msmgrs.exe -
Executes dropped EXE 1 IoCs
Processes:
msmgrs.exepid process 4372 msmgrs.exe -
Processes:
resource yara_rule behavioral2/memory/4292-0-0x0000000000400000-0x000000000043C000-memory.dmp upx C:\Windows\SysWOW64\wins\setup\msmgrs.exe upx behavioral2/memory/4292-9-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-11-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-12-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-13-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-14-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-15-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-16-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-17-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-18-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-19-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-20-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-21-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-22-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-23-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4372-24-0x0000000000400000-0x000000000043C000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\wins\setup\msmgrs.exe 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wins\setup\msmgrs.exe 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exemsmgrs.exepid process 4292 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe 4292 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe 4372 msmgrs.exe 4372 msmgrs.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exemsmgrs.execmd.execmd.exedescription pid process target process PID 4292 wrote to memory of 4372 4292 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe msmgrs.exe PID 4292 wrote to memory of 4372 4292 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe msmgrs.exe PID 4292 wrote to memory of 4372 4292 074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe msmgrs.exe PID 4372 wrote to memory of 764 4372 msmgrs.exe cmd.exe PID 4372 wrote to memory of 764 4372 msmgrs.exe cmd.exe PID 4372 wrote to memory of 764 4372 msmgrs.exe cmd.exe PID 4372 wrote to memory of 3852 4372 msmgrs.exe cmd.exe PID 4372 wrote to memory of 3852 4372 msmgrs.exe cmd.exe PID 4372 wrote to memory of 3852 4372 msmgrs.exe cmd.exe PID 3852 wrote to memory of 3488 3852 cmd.exe regsvr32.exe PID 3852 wrote to memory of 3488 3852 cmd.exe regsvr32.exe PID 3852 wrote to memory of 3488 3852 cmd.exe regsvr32.exe PID 764 wrote to memory of 2184 764 cmd.exe regsvr32.exe PID 764 wrote to memory of 2184 764 cmd.exe regsvr32.exe PID 764 wrote to memory of 2184 764 cmd.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\074391e6f0bdc130acd14ac879ee7a8c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\wins\setup\msmgrs.exe"C:\Windows\system32\wins\setup\msmgrs.exe"2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\cmd.execmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/JaguarEditControl.dll3⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /u /s C:\Windows/"Downloaded Program Files"/JaguarEditControl.dll4⤵PID:2184
-
C:\Windows\SysWOW64\cmd.execmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/tebedit.ocx3⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /u /s C:\Windows/"Downloaded Program Files"/tebedit.ocx4⤵PID:3488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵PID:4596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5074391e6f0bdc130acd14ac879ee7a8c
SHA16f4e95fa6f2beb5e9c6009727768c4f7b85cb517
SHA25669a7526ed322f3919a210772bb0d2d8b2a4ce2a61caee4b170a37d646f97622c
SHA51216672c5b7d532493f7ac7af45abc596bc4af40948a6179b1222166f31c9dbfda7eaedac147d649a4aae95526b45dc3327f7d4381ec6144e05af158527e01c423