Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 17:07
Static task
static1
Behavioral task
behavioral1
Sample
080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe
-
Size
103KB
-
MD5
080e6056bb634db0ca0281f0a2e1f40c
-
SHA1
fbe3b9e8b738ea92eba1752a707fc312aae500b8
-
SHA256
78074191806c5291da8620b5a2d1f2b5a1f1ae030800f2f0aafc8245454cd1f0
-
SHA512
af0b02bc6e0cd2455b59b357cdb123985323c91285f9b0d1e3c278b67f1168b2e0a86104d40f07ef47be6cd3104d635e5269f62d625b2166c71af6b5bd8ffdf4
-
SSDEEP
3072:yNbtz8WfJOiAfm5o280PjiEOpMyGwP+Lf7+s+QwREyKFh/4:yNxz8WJAfm5380biEYK+2w6yKFd4
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service 3 TTPs 4 IoCs
Processes:
tmp107.tmpdescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List tmp107.tmp Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile tmp107.tmp Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications tmp107.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer" tmp107.tmp -
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp107.tmp modiloader_stage2 behavioral2/memory/2648-14-0x0000000013140000-0x000000001315F000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
Processes:
tmp107.tmpNvVid.exetmp107.tmppid process 2648 tmp107.tmp 932 NvVid.exe 2356 tmp107.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NvVideoCenter = "C:\\Windows\\system32\\NvVid.exe" 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
NvVid.exedescription ioc process File opened (read-only) \??\y: NvVid.exe File opened (read-only) \??\q: NvVid.exe File opened (read-only) \??\m: NvVid.exe File opened (read-only) \??\l: NvVid.exe File opened (read-only) \??\k: NvVid.exe File opened (read-only) \??\j: NvVid.exe File opened (read-only) \??\x: NvVid.exe File opened (read-only) \??\w: NvVid.exe File opened (read-only) \??\u: NvVid.exe File opened (read-only) \??\s: NvVid.exe File opened (read-only) \??\r: NvVid.exe File opened (read-only) \??\z: NvVid.exe File opened (read-only) \??\v: NvVid.exe File opened (read-only) \??\o: NvVid.exe File opened (read-only) \??\n: NvVid.exe File opened (read-only) \??\i: NvVid.exe File opened (read-only) \??\t: NvVid.exe File opened (read-only) \??\p: NvVid.exe File opened (read-only) \??\h: NvVid.exe File opened (read-only) \??\g: NvVid.exe File opened (read-only) \??\e: NvVid.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
tmp107.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\browser helper obJects\{23314D99-1240-4d4f-A25C-17E44823D048} tmp107.tmp -
Drops file in System32 directory 5 IoCs
Processes:
080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exetmp107.tmpdescription ioc process File created C:\Windows\SysWOW64\NvVid.sys 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe File created C:\Windows\SysWOW64\NvVid.exe 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\NvVid.exe 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe File created C:\Windows\SysWOW64\ipv6monl.dll tmp107.tmp File opened for modification C:\Windows\SysWOW64\ipv6monl.dll tmp107.tmp -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp107.tmpdescription pid process target process PID 2648 set thread context of 2356 2648 tmp107.tmp tmp107.tmp -
Modifies registry class 6 IoCs
Processes:
tmp107.tmpdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\Enable Browser Extensions = "yes" tmp107.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{23314D99-1240-4d4f-A25C-17E44823D048} tmp107.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048} tmp107.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32 tmp107.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\ = "C:\\Windows\\SysWow64\\ipv6monl.dll" tmp107.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\ThreadingModel = "apartment" tmp107.tmp -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 664 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
tmp107.tmppid process 2356 tmp107.tmp -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exetmp107.tmpdescription pid process target process PID 4788 wrote to memory of 2648 4788 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe tmp107.tmp PID 4788 wrote to memory of 2648 4788 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe tmp107.tmp PID 4788 wrote to memory of 2648 4788 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe tmp107.tmp PID 4788 wrote to memory of 932 4788 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe NvVid.exe PID 4788 wrote to memory of 932 4788 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe NvVid.exe PID 4788 wrote to memory of 932 4788 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe NvVid.exe PID 2648 wrote to memory of 2356 2648 tmp107.tmp tmp107.tmp PID 2648 wrote to memory of 2356 2648 tmp107.tmp tmp107.tmp PID 2648 wrote to memory of 2356 2648 tmp107.tmp tmp107.tmp PID 2648 wrote to memory of 2356 2648 tmp107.tmp tmp107.tmp PID 2648 wrote to memory of 2356 2648 tmp107.tmp tmp107.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\tmp107.tmpC:\Users\Admin\AppData\Local\Temp\tmp107.tmp2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\tmp107.tmpC:\Users\Admin\AppData\Local\Temp\tmp107.tmp3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2356 -
C:\Windows\SysWOW64\NvVid.exeC:\Windows\system32\NvVid.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
PID:932
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD545203d8f70415aa4e19d70dbaae20a06
SHA163325381fa3b86c1a056809e7c4d83b6a7db6305
SHA256d61697bc06aae1b6b617b7d17ffe5be4f0e01946d6e17a7326bf18c0100566a0
SHA512dbc38698d259405ab6f901bdc08464eca50391f787c6020821d2ed2effdb4f38d622fe77404833c9bd1b9d45560272048df7703de238890f16d4000b7013da25
-
Filesize
103KB
MD5080e6056bb634db0ca0281f0a2e1f40c
SHA1fbe3b9e8b738ea92eba1752a707fc312aae500b8
SHA25678074191806c5291da8620b5a2d1f2b5a1f1ae030800f2f0aafc8245454cd1f0
SHA512af0b02bc6e0cd2455b59b357cdb123985323c91285f9b0d1e3c278b67f1168b2e0a86104d40f07ef47be6cd3104d635e5269f62d625b2166c71af6b5bd8ffdf4