Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 17:07

General

  • Target

    080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe

  • Size

    103KB

  • MD5

    080e6056bb634db0ca0281f0a2e1f40c

  • SHA1

    fbe3b9e8b738ea92eba1752a707fc312aae500b8

  • SHA256

    78074191806c5291da8620b5a2d1f2b5a1f1ae030800f2f0aafc8245454cd1f0

  • SHA512

    af0b02bc6e0cd2455b59b357cdb123985323c91285f9b0d1e3c278b67f1168b2e0a86104d40f07ef47be6cd3104d635e5269f62d625b2166c71af6b5bd8ffdf4

  • SSDEEP

    3072:yNbtz8WfJOiAfm5o280PjiEOpMyGwP+Lf7+s+QwREyKFh/4:yNxz8WJAfm5380biEYK+2w6yKFd4

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modifies firewall policy service 3 TTPs 2 IoCs
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
      C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
        C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
        3⤵
        • Modifies firewall policy service
        • Executes dropped EXE
        • Installs/modifies Browser Helper Object
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3068
    • C:\Windows\SysWOW64\NvVid.exe
      C:\Windows\system32\NvVid.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\tmp107.tmp

    Filesize

    97KB

    MD5

    45203d8f70415aa4e19d70dbaae20a06

    SHA1

    63325381fa3b86c1a056809e7c4d83b6a7db6305

    SHA256

    d61697bc06aae1b6b617b7d17ffe5be4f0e01946d6e17a7326bf18c0100566a0

    SHA512

    dbc38698d259405ab6f901bdc08464eca50391f787c6020821d2ed2effdb4f38d622fe77404833c9bd1b9d45560272048df7703de238890f16d4000b7013da25

  • \Windows\SysWOW64\NvVid.exe

    Filesize

    103KB

    MD5

    080e6056bb634db0ca0281f0a2e1f40c

    SHA1

    fbe3b9e8b738ea92eba1752a707fc312aae500b8

    SHA256

    78074191806c5291da8620b5a2d1f2b5a1f1ae030800f2f0aafc8245454cd1f0

    SHA512

    af0b02bc6e0cd2455b59b357cdb123985323c91285f9b0d1e3c278b67f1168b2e0a86104d40f07ef47be6cd3104d635e5269f62d625b2166c71af6b5bd8ffdf4

  • memory/1656-20-0x0000000013140000-0x000000001315F000-memory.dmp

    Filesize

    124KB

  • memory/2344-29-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

  • memory/2344-25-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/2344-0-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

  • memory/3052-33-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

  • memory/3068-17-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/3068-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3068-14-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/3068-24-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/3068-32-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/3068-34-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB