Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 19:30
Behavioral task
behavioral1
Sample
091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe
-
Size
233KB
-
MD5
091c5a964683ba62f38ef111aacd1d49
-
SHA1
2b124933c40409482f3583af02160dbe832ce5ec
-
SHA256
cdf6f848d8c68b8b521f675a8129292b120d08c8673ebd3619ad230a388a84cb
-
SHA512
013c7609b062885cc5283d441203a13bca6b38a1c8bc043d1eba0245fd088e833f141861a1e9e2cda4fc3406fb539668119494c065313103edb154d0dae1bc70
-
SSDEEP
6144:sLiX5MU9Y2jd58njRL4k85uMQVMX7tV13xqCwk:Lpd5YRLi5uMQVMXJnBq
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 7 IoCs
Processes:
resource yara_rule C:\Windows\fin32.exe modiloader_stage2 behavioral1/memory/1904-15-0x0000000032000000-0x0000000032019000-memory.dmp modiloader_stage2 C:\Windows\ykl32.exe modiloader_stage2 behavioral1/memory/2716-35-0x0000000032000000-0x000000003200F000-memory.dmp modiloader_stage2 C:\Windows\amr32.exe modiloader_stage2 behavioral1/memory/2488-51-0x0000000032000000-0x0000000032015000-memory.dmp modiloader_stage2 behavioral1/memory/2852-56-0x0000000000400000-0x000000000047D000-memory.dmp modiloader_stage2 -
Executes dropped EXE 6 IoCs
Processes:
fin32.exefin32.exeykl32.exeykl32.exeamr32.exeamr32.exepid process 1904 fin32.exe 2624 fin32.exe 2716 ykl32.exe 2808 ykl32.exe 2488 amr32.exe 2536 amr32.exe -
Processes:
resource yara_rule behavioral1/memory/2852-0-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral1/memory/2852-56-0x0000000000400000-0x000000000047D000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
fin32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts fin32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
fin32.exeykl32.exeamr32.exedescription pid process target process PID 1904 set thread context of 2624 1904 fin32.exe fin32.exe PID 2716 set thread context of 2808 2716 ykl32.exe ykl32.exe PID 2488 set thread context of 2536 2488 amr32.exe amr32.exe -
Drops file in Windows directory 6 IoCs
Processes:
091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exeykl32.exeamr32.exefin32.exedescription ioc process File created C:\Windows\ykl32.exe 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe File created C:\Windows\gls.fdn ykl32.exe File created C:\Windows\amr32.exe 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe File created C:\Windows\hrk.klo amr32.exe File created C:\Windows\fin32.exe 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe File created C:\Windows\hms.atr fin32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
amr32.exedescription pid process Token: SeDebugPrivilege 2536 amr32.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exefin32.exeykl32.exeamr32.exedescription pid process target process PID 2852 wrote to memory of 1904 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe fin32.exe PID 2852 wrote to memory of 1904 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe fin32.exe PID 2852 wrote to memory of 1904 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe fin32.exe PID 2852 wrote to memory of 1904 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe fin32.exe PID 1904 wrote to memory of 2624 1904 fin32.exe fin32.exe PID 1904 wrote to memory of 2624 1904 fin32.exe fin32.exe PID 1904 wrote to memory of 2624 1904 fin32.exe fin32.exe PID 1904 wrote to memory of 2624 1904 fin32.exe fin32.exe PID 1904 wrote to memory of 2624 1904 fin32.exe fin32.exe PID 1904 wrote to memory of 2624 1904 fin32.exe fin32.exe PID 2852 wrote to memory of 2716 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe ykl32.exe PID 2852 wrote to memory of 2716 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe ykl32.exe PID 2852 wrote to memory of 2716 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe ykl32.exe PID 2852 wrote to memory of 2716 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe ykl32.exe PID 2716 wrote to memory of 2808 2716 ykl32.exe ykl32.exe PID 2716 wrote to memory of 2808 2716 ykl32.exe ykl32.exe PID 2716 wrote to memory of 2808 2716 ykl32.exe ykl32.exe PID 2716 wrote to memory of 2808 2716 ykl32.exe ykl32.exe PID 2716 wrote to memory of 2808 2716 ykl32.exe ykl32.exe PID 2716 wrote to memory of 2808 2716 ykl32.exe ykl32.exe PID 2852 wrote to memory of 2488 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe amr32.exe PID 2852 wrote to memory of 2488 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe amr32.exe PID 2852 wrote to memory of 2488 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe amr32.exe PID 2852 wrote to memory of 2488 2852 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe amr32.exe PID 2488 wrote to memory of 2536 2488 amr32.exe amr32.exe PID 2488 wrote to memory of 2536 2488 amr32.exe amr32.exe PID 2488 wrote to memory of 2536 2488 amr32.exe amr32.exe PID 2488 wrote to memory of 2536 2488 amr32.exe amr32.exe PID 2488 wrote to memory of 2536 2488 amr32.exe amr32.exe PID 2488 wrote to memory of 2536 2488 amr32.exe amr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\fin32.exe"C:\Windows\fin32.exe" /stext hms.atr2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\fin32.exeC:\Windows\fin32.exe /stext hms.atr3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Drops file in Windows directory
PID:2624 -
C:\Windows\ykl32.exe"C:\Windows\ykl32.exe" /stext gls.fdn2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\ykl32.exeC:\Windows\ykl32.exe /stext gls.fdn3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2808 -
C:\Windows\amr32.exe"C:\Windows\amr32.exe" /stext hrk.klo2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\amr32.exeC:\Windows\amr32.exe /stext hrk.klo3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5e9914753824f503e700ec74e219077f7
SHA1de4b97da5f4e6a804398553f33a23d03feee1a42
SHA25691814933cf6d7937616e776ecba937ca6a50d3c2e3fe332df12eb600592111e1
SHA51230cf6d57f2abe05eb38b34156daaae5e8a9a85a91cfaf5b42b9b527c0d942e876e551b86413b1d0394ad73fcc6e6d91236746c81d0adc32f0f3467c42b2c48bc
-
Filesize
81KB
MD5133c173c5c95ec572e015990029387c3
SHA13686180e408b7a83f693b4146eed84ae684b03a5
SHA2568a85ab91faf309c8001ee265bc724df1319e58d3af3ed789616b512d6a92eab2
SHA51219d04dde12dada208edc03383ddeaa2e545cd2b430fa1a534d2dd7ac545fedbcdd3e9f240e3228ea3d006e7740e7e301703dc76e8e05f3c59ad23d8271fce412
-
Filesize
311B
MD542c1b96169d8cd79c7695b9129edd52b
SHA1a6195eb8b78f870fd3d3cdce3fa7e5d71fe62b1c
SHA25643ec39067fe86e4a4dd31a11038325899d97cfc7287153a7d39851df29e14580
SHA5121ca280355f6d7c782d0b57a3c6ee2b515959cea720b1a1771e699250184637c8369c165300e9b33676f18bff852bdf6aced1c564aff41c4965428a2e9136a202
-
Filesize
42KB
MD5a32a77d444987c6b39b13d90223b6932
SHA1678257eabad39b317b70d1f91ee67689e20d2729
SHA256d1001a99f08c511dd35aab4ad1cfcc3d546ac8d880d66cd2e19d8963e26a10f9
SHA512f5248e0877c4ffc87449e14d6e757a86af33ce940b1a3cdbd4e9696072e5cc3ed5c45e9093ce618e7011f6089c86b8ebfa19e15a18fe0b15386a604d27c55378