Analysis
-
max time kernel
79s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 17:58
Static task
static1
Behavioral task
behavioral1
Sample
086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe
-
Size
268KB
-
MD5
086f4dd9584cc8d05f6b56a6b68dc747
-
SHA1
35091173ecfce7cf0b1beae0741376bf454d311f
-
SHA256
173b5946fd6bc355b0969bbf059b3c68e8224029486cac28af1c88a2677336bf
-
SHA512
1dbb99bdd7de99ec27dd2c0b07618f8e7ad61cf22849d9abbdf4314c04fe58507dc1467bffa9178a01e4033a276ce561492809d67d7ab07aa09e977c6056a07c
-
SSDEEP
6144:a/0gARCFiEMhuCTesqh7+0S6+m0FbR54HaVPNx0DU//MR8PNnvJ/d:ZgAR6iEMUCs7cbbRmsDHnPRvld
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1844-2-0x0000000000400000-0x0000000000509000-memory.dmp modiloader_stage2 behavioral2/memory/4560-27-0x0000000000400000-0x0000000000509000-memory.dmp modiloader_stage2 behavioral2/memory/4560-37-0x0000000000400000-0x0000000000509000-memory.dmp modiloader_stage2 behavioral2/memory/1844-36-0x0000000000400000-0x0000000000509000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
rejoice81.exepid process 4560 rejoice81.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exedescription ioc process File opened (read-only) \??\J: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\L: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\M: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\Q: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\E: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\I: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\H: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\K: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\O: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\P: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\R: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\V: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\A: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\G: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\W: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\Y: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\S: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\U: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\Z: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\B: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\N: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\T: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened (read-only) \??\X: 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exedescription ioc process File opened for modification C:\AutoRun.inf 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened for modification F:\AutoRun.inf 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
Processes:
rejoice81.exedescription ioc process File created C:\Windows\SysWOW64\_rejoice81.exe rejoice81.exe File opened for modification C:\Windows\SysWOW64\_rejoice81.exe rejoice81.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
rejoice81.exedescription pid process target process PID 4560 set thread context of 2088 4560 rejoice81.exe calc.exe PID 4560 set thread context of 5104 4560 rejoice81.exe IEXPLORE.EXE -
Drops file in Program Files directory 3 IoCs
Processes:
086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1036 2088 WerFault.exe calc.exe -
Processes:
IEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425068169" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A7FF57CE-2F2E-11EF-BCA5-5AA21198C1D4} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IEXPLORE.EXEpid process 5104 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
IEXPLORE.EXEIEXPLORE.EXEpid process 5104 IEXPLORE.EXE 5104 IEXPLORE.EXE 4816 IEXPLORE.EXE 4816 IEXPLORE.EXE 4816 IEXPLORE.EXE 4816 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exerejoice81.exeIEXPLORE.EXEdescription pid process target process PID 1844 wrote to memory of 4560 1844 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe rejoice81.exe PID 1844 wrote to memory of 4560 1844 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe rejoice81.exe PID 1844 wrote to memory of 4560 1844 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe rejoice81.exe PID 4560 wrote to memory of 2088 4560 rejoice81.exe calc.exe PID 4560 wrote to memory of 2088 4560 rejoice81.exe calc.exe PID 4560 wrote to memory of 2088 4560 rejoice81.exe calc.exe PID 4560 wrote to memory of 2088 4560 rejoice81.exe calc.exe PID 4560 wrote to memory of 2088 4560 rejoice81.exe calc.exe PID 4560 wrote to memory of 5104 4560 rejoice81.exe IEXPLORE.EXE PID 4560 wrote to memory of 5104 4560 rejoice81.exe IEXPLORE.EXE PID 4560 wrote to memory of 5104 4560 rejoice81.exe IEXPLORE.EXE PID 1844 wrote to memory of 3740 1844 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe cmd.exe PID 1844 wrote to memory of 3740 1844 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe cmd.exe PID 1844 wrote to memory of 3740 1844 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe cmd.exe PID 5104 wrote to memory of 4816 5104 IEXPLORE.EXE IEXPLORE.EXE PID 5104 wrote to memory of 4816 5104 IEXPLORE.EXE IEXPLORE.EXE PID 5104 wrote to memory of 4816 5104 IEXPLORE.EXE IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 124⤵
- Program crash
PID:1036 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5104 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""2⤵PID:3740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2088 -ip 20881⤵PID:3928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD5ec717a148c0c1573ad6a89a66095c8a0
SHA12677e5c816b191a5941be928f014ec201e7de18f
SHA256d9c1af73c937692718c241a501d6213fac7803ab2f8504a845a540baf047c218
SHA5121a925338fbdbb79bb8e38064b092d5a2dbd47095751ac9e88490f255db050598f209aa97da0d8a9984e173059cb13019d2f187d0efc9777afc6fcf82fb763797
-
Filesize
212B
MD591baa46248787aaf15cf57f165af25d0
SHA1243ac9b44e75904237773767c65b9a1bf15c984e
SHA2563e037b955fafb0da7f2f60d5e2bc8a73f32e3f2a646fbf90459812d52e7a4c9c
SHA5122ceafcc236a7017128f36991f7faeb8b2b9d3db04a4f988c85f484854543449b4bf6a521e1bf41a64e4f7d91ea8fff672e94b464fbc1345a643ea2de9536082a
-
Filesize
268KB
MD5086f4dd9584cc8d05f6b56a6b68dc747
SHA135091173ecfce7cf0b1beae0741376bf454d311f
SHA256173b5946fd6bc355b0969bbf059b3c68e8224029486cac28af1c88a2677336bf
SHA5121dbb99bdd7de99ec27dd2c0b07618f8e7ad61cf22849d9abbdf4314c04fe58507dc1467bffa9178a01e4033a276ce561492809d67d7ab07aa09e977c6056a07c