Analysis

  • max time kernel
    134s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 17:58

General

  • Target

    086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe

  • Size

    268KB

  • MD5

    086f4dd9584cc8d05f6b56a6b68dc747

  • SHA1

    35091173ecfce7cf0b1beae0741376bf454d311f

  • SHA256

    173b5946fd6bc355b0969bbf059b3c68e8224029486cac28af1c88a2677336bf

  • SHA512

    1dbb99bdd7de99ec27dd2c0b07618f8e7ad61cf22849d9abbdf4314c04fe58507dc1467bffa9178a01e4033a276ce561492809d67d7ab07aa09e977c6056a07c

  • SSDEEP

    6144:a/0gARCFiEMhuCTesqh7+0S6+m0FbR54HaVPNx0DU//MR8PNnvJ/d:ZgAR6iEMUCs7cbbRmsDHnPRvld

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 4 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:2608
        • C:\program files\internet explorer\IEXPLORE.EXE
          "C:\program files\internet explorer\IEXPLORE.EXE"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2496
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
        2⤵
        • Deletes itself
        PID:2828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\AutoRun.inf

      Filesize

      175B

      MD5

      ec717a148c0c1573ad6a89a66095c8a0

      SHA1

      2677e5c816b191a5941be928f014ec201e7de18f

      SHA256

      d9c1af73c937692718c241a501d6213fac7803ab2f8504a845a540baf047c218

      SHA512

      1a925338fbdbb79bb8e38064b092d5a2dbd47095751ac9e88490f255db050598f209aa97da0d8a9984e173059cb13019d2f187d0efc9777afc6fcf82fb763797

    • C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat

      Filesize

      212B

      MD5

      91baa46248787aaf15cf57f165af25d0

      SHA1

      243ac9b44e75904237773767c65b9a1bf15c984e

      SHA256

      3e037b955fafb0da7f2f60d5e2bc8a73f32e3f2a646fbf90459812d52e7a4c9c

      SHA512

      2ceafcc236a7017128f36991f7faeb8b2b9d3db04a4f988c85f484854543449b4bf6a521e1bf41a64e4f7d91ea8fff672e94b464fbc1345a643ea2de9536082a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      efa6102f4852448c4b993a78f8753e59

      SHA1

      02d940291b00c363073ea43f582e3c7c814a4a79

      SHA256

      fa11811b56ab5a4b4ff561296024e98c58fe53e36ca67d7f3aec8796e29b278d

      SHA512

      07702be8ebc2b94075ff9e11eaa5be8771fb5ee6cbfa8645f75ef6eb2d0571aa5d9fe787a4b7191a7b730b0dba8bd5b2e3cf259fbfc76b443d9aa1512ed849a4

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      b692085498817f4361bbe7e26f183298

      SHA1

      ef79c201c3e2dd0e90157192a886d1aff65ecf8e

      SHA256

      17bd516a16da3bb3985392ed82f2fa54928465eefd2018a268fde9a94f881297

      SHA512

      55ee40516246e67a66128b4cecc909818cf671a24b5955961d464cdd4e6567c0af75ca87aab737897894085f4ecb43723a6427ed206340f4402d2039b0987618

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      357c06479909deee0afc0ad4a0f1694f

      SHA1

      b24433a94cb994542f839cb9c2f0cc6e118ee390

      SHA256

      15f046d331a2c0bc3427389c029c7bb33b72aa97ffa97d5ae6bfb570ee76c85b

      SHA512

      b8ebf3e7b89fe75b7c538006d7b4bf94020e8e88011004a484d11476e6e14dc500b5e23203a829abf27bf69751f385ded228ff833e2cbf2b8613b58e52cf22c9

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      3c17becaab2e7a27819508c73b2de4c2

      SHA1

      b136820dbee5dc026b139c22cd45282ca76e6b16

      SHA256

      0fb0f8b029ad7c32f40f0c6d7a17399f6f1ee7dc751bc95371bc49e7a9234f61

      SHA512

      74195ec54882c3af5b04ae93ce336f0162610097a80a2e876a7be07732cb690a9700f58e1aca2b2a970842fc7acecd03b59c10517d111618a3f5649105c5dac0

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      c75feaa1d5643b5b3099d0486ba5d16b

      SHA1

      b2af3375a5d4e41d7a1a5563617028dea3b91d1a

      SHA256

      4227dd475d53c68313adc3f6cd12eddde1dfe4db44b218c483ca500b1985a372

      SHA512

      d61107550d4325f6981452b1e246cef46c0069f6a691583c6e18f26f5327f50cf67e62453236fbac4217aa0d9557590ec206ff3c2d35883870ecbcd378382f20

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      3abbdec4c16e63582d39739b9fb88da0

      SHA1

      2b7c87c2f4aff656b66f4fd8bf95abfff3948abe

      SHA256

      14f4d8a0cd67a0002dfb21a04c8254d85ffd1176f146fc2145e25f7bfcab0b01

      SHA512

      b6eeb931ee2540385c0c728a99bad66eb27acd2bb4419d76ec8ddf50defb0aa73eb72226ec107d15ab9abd03feef4b04162d705ba8dce2f2e1a3f217e0ac8565

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      2c47d0b947480003e952c8186af73d4f

      SHA1

      0773f6a62e5a870b79488fb709357032ab4c5b6f

      SHA256

      cbe18714d708481bc3c0b4caf855ed4821652094dc72fc6672bd072e570ae3d1

      SHA512

      50b96d3424f9f130adb2dbdaa119b94e9f81aa876e65a0c7ea2b1f29c2bdeeea5a950735e9b0b6651a0b1a134dbe86781d9c495d412f99c8a9d57173f765b708

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      09e449ba391f8f9338c3cff5e9f7613b

      SHA1

      29f849a0275272129b8a9184b69fcafc823d82a0

      SHA256

      92ddf7ed34146c9714927e729e9befa1d2d1ecd1d3bbae5d17b9de00234a5cbd

      SHA512

      cf095ccd0cc9fc169cb92e08ea70aa1051f95f8a86ef5f47288b4840f5b0d5236076c827fcbf6ff352ee519983ed643664d284d1d02d378573f9494abf401547

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      7f6d4fe6d1a58de3d7bafb22fa650835

      SHA1

      ea23bfbaa982cb1f5ec5c942c59734c383f05e0e

      SHA256

      1368e6876d85e1c9706ddbc12dc389762d8b956c130fddeb33017fc363e2e85a

      SHA512

      13277b5046551acfdb46c6605624782ab9099b5c57531c51df049edb7a6a1eb93562593afe5939324f1118b28af64d6210a902d2dbdbf151c287d767111b5a9c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      f1a2271ad80de88f2368a2e2be3d92ad

      SHA1

      95804a134ab83007b3b0fa536a1b74a7cd4bcc3f

      SHA256

      9bb135835b1365d343a699be8d19d609b9e82e9a1d11a691cf5b65c916da6137

      SHA512

      a280d464e270127a7eaf6013e25c722e5eb491b79100a76ff44311e2efc22ef5a8a7b28e2d83e3100d91dc1dc6fa1f04a7f76f17c6392893da2b2f570de5d13d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      33128082fc250374e18d8e5db335b2b2

      SHA1

      a4ef00136471f0aa288ab91e659232a04ed10baf

      SHA256

      608682f1c3547df13fe19b57bf2b2a6958f2ace564c32acf1491a23ffb2ab613

      SHA512

      8b137443eaf13be166c910ca01f7ddae9bb894481c26db563827ef311dbc266023bf2245d432894d934abeae19239870d13c58bd1439f5bc8a6acc02e5e2e1b4

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      091cbc9a04dd9d03e52152575267ecbc

      SHA1

      5189b5633b96ead01bc97a12c3599ecd308f4e76

      SHA256

      3c520ea00b3a2d3922fd3c1f7470b792b04f3495c7ed41ee3e1da9c5f3e65e65

      SHA512

      8edbf6be670100c58df0bed51210f739b0361fbe0dc9d32e27d4b03a1511e4adc3a057d2c3cceef42eaca028cf7235a7700ddc36ffc7624c4d68ff0ee486b0b3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      94d0f54eac21d3707464064725448101

      SHA1

      9b70df4c5c5d53ffd8cb77f70ab2f60299076602

      SHA256

      4d0f7ee78a629ed9440fcef0487414339de82752927d04620f61df4e0727851e

      SHA512

      2c45f6a58dd7a49445ccd202e06ede5671d3451b780b43ad03e7c1a55400b98dc05f16da9e9626a77277ac72ab980606ac4db6fea98658bdd71e9e5242cb8bbe

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      651436438bc90dfe1e5aea588625bc7e

      SHA1

      6c33ab50d74ecdb010db869808b8e8497fc116fe

      SHA256

      0b83201cdaed6c3bb59df51859da94c73c992c4d2412027bac4616bf19f9a4e9

      SHA512

      6cdf6f18ea84fe1c6fdf12133dd810b372cf3ad635c84f008dade1a9edd3622ac9f4ddcd722e8ec17486bdbf88374fb3d1c7c89525b8164929f2aed04fd8650e

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      5dfebd9c945034b657afc59d01c46989

      SHA1

      0e08ccd7f65a686493faeabe494dc1397113204f

      SHA256

      8ff96556fdc8e2f5a770179f6c64bac3032f723304b0bf7529e68b75991953cd

      SHA512

      89cb654627222578d2636f551b6f1236c74f0d10bdfed3ae19983a13821c3368c6e143b7278cc13c598626f57168cd1493970fee358febc1650b33a0a1f7e6e7

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      2efc2d921129c394c01cf3d3cddfd8d5

      SHA1

      c74e840f9fccf38377446e29fa3fc8ddcbdf712c

      SHA256

      1c06b57d9cb579eaf2461e847e4e1c6a5f625d27d6ec2c64a9e15917337546ca

      SHA512

      4441fab30f3039721cad917584690a19c4aacdf751b75fe85ea892fc64e7334914e45798a40264f4b7db921b9158dbb12d60a308f16ccc1a3a991a10cf06144d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      874fb845134821c3846ace68a7a70c3a

      SHA1

      79c4e8ca19430956adec07a72832c3eb82e8ccbd

      SHA256

      41afa6221898d42916007db582961dd5ee9b3ff0c4d19850467b758336fc4daf

      SHA512

      9e6c915f6fdef6006ac2c7ff56af368407db37d4c118b79f3ada640e50fb6a5034040d235acd29d66ba303c191f97e7cb1397cc38523baf364c9f0c16f4f378c

    • C:\Users\Admin\AppData\Local\Temp\Cab33EF.tmp

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\Local\Temp\Tar3473.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • F:\rejoice81.exe

      Filesize

      268KB

      MD5

      086f4dd9584cc8d05f6b56a6b68dc747

      SHA1

      35091173ecfce7cf0b1beae0741376bf454d311f

      SHA256

      173b5946fd6bc355b0969bbf059b3c68e8224029486cac28af1c88a2677336bf

      SHA512

      1dbb99bdd7de99ec27dd2c0b07618f8e7ad61cf22849d9abbdf4314c04fe58507dc1467bffa9178a01e4033a276ce561492809d67d7ab07aa09e977c6056a07c

    • memory/1704-1-0x00000000006A0000-0x00000000006A1000-memory.dmp

      Filesize

      4KB

    • memory/1704-30-0x0000000002F60000-0x0000000003069000-memory.dmp

      Filesize

      1.0MB

    • memory/1704-55-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

    • memory/1704-2-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

    • memory/1704-0-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

    • memory/1704-3-0x00000000006A0000-0x00000000006A1000-memory.dmp

      Filesize

      4KB

    • memory/2052-34-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

    • memory/2052-33-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

    • memory/2052-54-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

    • memory/2052-32-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

    • memory/2608-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2608-42-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

    • memory/2608-46-0x0000000000470000-0x0000000000470000-memory.dmp

    • memory/2912-45-0x00000000001F0000-0x00000000002F9000-memory.dmp

      Filesize

      1.0MB