Analysis
-
max time kernel
79s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe
-
Size
307KB
-
MD5
0804a8a96641c1fdf34a7bace3e631df
-
SHA1
b186a9d3fec5a3ce2ff60ae77692baf86d1eecb6
-
SHA256
6a190bcafe9cc319f49062f37afb7ab5cd0abd61b95a7cd027c61edb1c16ba09
-
SHA512
f1f97cfc503f0b35d8ab1e069cc948e21536baa701babb319045ad84bec14060e2854477e31fb6dc9146de0ff9ad440822b5f3835acafcd1b4470a5be5c49e6f
-
SSDEEP
6144:160drKkUVCjsAJ6QrA+wK5e87AHZ+Z1/uGokN/Fdb65a:Xd9cjRQrhwI73uGhzu5
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/528-14-0x0000000000400000-0x0000000000553210-memory.dmp modiloader_stage2 behavioral2/memory/264-15-0x0000000000400000-0x0000000000553210-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
explorer.batpid process 528 explorer.bat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
explorer.batdescription pid process target process PID 528 set thread context of 3036 528 explorer.bat IEXPLORE.EXE -
Drops file in Program Files directory 3 IoCs
Processes:
0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exedescription ioc process File created C:\Program Files\explorer.bat 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe File opened for modification C:\Program Files\explorer.bat 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe File created C:\Program Files\SxDel.bat 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe -
Processes:
IEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425064832" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E2F7D3CC-2F26-11EF-BCA5-C2748A3A93CE} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IEXPLORE.EXEpid process 3036 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
IEXPLORE.EXEIEXPLORE.EXEpid process 3036 IEXPLORE.EXE 3036 IEXPLORE.EXE 4964 IEXPLORE.EXE 4964 IEXPLORE.EXE 4964 IEXPLORE.EXE 4964 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exeexplorer.batIEXPLORE.EXEdescription pid process target process PID 264 wrote to memory of 528 264 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe explorer.bat PID 264 wrote to memory of 528 264 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe explorer.bat PID 264 wrote to memory of 528 264 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe explorer.bat PID 528 wrote to memory of 3036 528 explorer.bat IEXPLORE.EXE PID 528 wrote to memory of 3036 528 explorer.bat IEXPLORE.EXE PID 528 wrote to memory of 3036 528 explorer.bat IEXPLORE.EXE PID 528 wrote to memory of 3036 528 explorer.bat IEXPLORE.EXE PID 264 wrote to memory of 1144 264 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe cmd.exe PID 264 wrote to memory of 1144 264 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe cmd.exe PID 264 wrote to memory of 1144 264 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe cmd.exe PID 3036 wrote to memory of 4964 3036 IEXPLORE.EXE IEXPLORE.EXE PID 3036 wrote to memory of 4964 3036 IEXPLORE.EXE IEXPLORE.EXE PID 3036 wrote to memory of 4964 3036 IEXPLORE.EXE IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Program Files\explorer.bat"C:\Program Files\explorer.bat"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:528 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SxDel.bat""2⤵PID:1144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5cffbdc82ea4f571f35ca41fa2bfa1ff9
SHA132c6529c26d0843009c1e58f9cea3c02acf39daf
SHA2568676c9c15ec3f311a20f08ea45d4b1b8e9cd8c8207ed881fbb7669a63caf1bb7
SHA51251b4b96d504f03797efd6dc5d1b756f16563fc414d483bc3900f7c8d59abe2e0c307aa888d85d23179dc59fa9720dff23dafe7870de4b096b953ce2142eb9702
-
Filesize
307KB
MD50804a8a96641c1fdf34a7bace3e631df
SHA1b186a9d3fec5a3ce2ff60ae77692baf86d1eecb6
SHA2566a190bcafe9cc319f49062f37afb7ab5cd0abd61b95a7cd027c61edb1c16ba09
SHA512f1f97cfc503f0b35d8ab1e069cc948e21536baa701babb319045ad84bec14060e2854477e31fb6dc9146de0ff9ad440822b5f3835acafcd1b4470a5be5c49e6f