Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe
-
Size
102KB
-
MD5
08866ec866bc6324a21580821f7880c2
-
SHA1
b509a89828f717dcc73037ae247c36777b9be19f
-
SHA256
6524578837a74f96b5d4a259d58299e2763306f040edc189c6386a62199cfe06
-
SHA512
13c7235f1d6f838b84da18cf827f358a2d20c8e37179ff840dcb74ec580e626329bcd588ebe7cc116b6ef8a3c031d957e5be231e98ce0fa6b762dcaf118fe65e
-
SSDEEP
3072:CbaxebqluFJtiCkZf19qhftlFS2SKtB3cmpEwjtLN5:Cm0ap9oT3SuOcEwV
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3144-2-0x0000000000400000-0x000000000046D000-memory.dmp modiloader_stage2 behavioral2/memory/3144-14-0x0000000000400000-0x000000000046D000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08866ec866bc6324a21580821f7880c2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msmsgs = "C:\\Program Files\\Internet Explorer\\explorer.exe" 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe -
Drops file in Program Files directory 3 IoCs
Processes:
08866ec866bc6324a21580821f7880c2_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\Internet Explorer\icwhelp.dll 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe File created C:\Program Files\Internet Explorer\explorer.exe 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\explorer.exe 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
08866ec866bc6324a21580821f7880c2_JaffaCakes118.exepid process 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe 3144 08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08866ec866bc6324a21580821f7880c2_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4648,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:81⤵PID:2204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31B
MD5c342c3d874ec39a72bca8a0c5a6a0bf6
SHA1317c4755a3d300ea5e9e4fd85884dc80d6bf45b5
SHA2568dcf2e0ac2d2a91012aafdba920e1cca7043864b0fa9a8df18251cc72f2f64b0
SHA51236205e775f4dcd9320550eeb13f5dd4f4e18952bf46c84921a867bd81315f3c4248ce6cc29e62738a226b2a87f570fd99c7ee828e03f9116d11e3b2485540769