Analysis
-
max time kernel
139s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 19:30
Behavioral task
behavioral1
Sample
091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe
-
Size
233KB
-
MD5
091c5a964683ba62f38ef111aacd1d49
-
SHA1
2b124933c40409482f3583af02160dbe832ce5ec
-
SHA256
cdf6f848d8c68b8b521f675a8129292b120d08c8673ebd3619ad230a388a84cb
-
SHA512
013c7609b062885cc5283d441203a13bca6b38a1c8bc043d1eba0245fd088e833f141861a1e9e2cda4fc3406fb539668119494c065313103edb154d0dae1bc70
-
SSDEEP
6144:sLiX5MU9Y2jd58njRL4k85uMQVMX7tV13xqCwk:Lpd5YRLi5uMQVMXJnBq
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 7 IoCs
Processes:
resource yara_rule C:\Windows\fin32.exe modiloader_stage2 behavioral2/memory/2552-14-0x0000000032000000-0x0000000032019000-memory.dmp modiloader_stage2 C:\Windows\ykl32.exe modiloader_stage2 behavioral2/memory/4216-25-0x0000000032000000-0x000000003200F000-memory.dmp modiloader_stage2 C:\Windows\amr32.exe modiloader_stage2 behavioral2/memory/1772-40-0x0000000032000000-0x0000000032015000-memory.dmp modiloader_stage2 behavioral2/memory/5532-49-0x0000000000400000-0x000000000047D000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe -
Executes dropped EXE 6 IoCs
Processes:
fin32.exefin32.exeykl32.exeykl32.exeamr32.exeamr32.exepid process 2552 fin32.exe 6012 fin32.exe 4216 ykl32.exe 3888 ykl32.exe 1772 amr32.exe 5724 amr32.exe -
Processes:
resource yara_rule behavioral2/memory/5532-0-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/5532-49-0x0000000000400000-0x000000000047D000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
fin32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts fin32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
fin32.exeykl32.exeamr32.exedescription pid process target process PID 2552 set thread context of 6012 2552 fin32.exe fin32.exe PID 4216 set thread context of 3888 4216 ykl32.exe ykl32.exe PID 1772 set thread context of 5724 1772 amr32.exe amr32.exe -
Drops file in Windows directory 6 IoCs
Processes:
091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exeykl32.exeamr32.exefin32.exedescription ioc process File created C:\Windows\ykl32.exe 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe File created C:\Windows\gls.fdn ykl32.exe File created C:\Windows\amr32.exe 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe File created C:\Windows\hrk.klo amr32.exe File created C:\Windows\fin32.exe 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe File created C:\Windows\hms.atr fin32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
amr32.exedescription pid process Token: SeDebugPrivilege 5724 amr32.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exefin32.exeykl32.exeamr32.exedescription pid process target process PID 5532 wrote to memory of 2552 5532 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe fin32.exe PID 5532 wrote to memory of 2552 5532 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe fin32.exe PID 5532 wrote to memory of 2552 5532 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe fin32.exe PID 2552 wrote to memory of 6012 2552 fin32.exe fin32.exe PID 2552 wrote to memory of 6012 2552 fin32.exe fin32.exe PID 2552 wrote to memory of 6012 2552 fin32.exe fin32.exe PID 2552 wrote to memory of 6012 2552 fin32.exe fin32.exe PID 2552 wrote to memory of 6012 2552 fin32.exe fin32.exe PID 5532 wrote to memory of 4216 5532 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe ykl32.exe PID 5532 wrote to memory of 4216 5532 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe ykl32.exe PID 5532 wrote to memory of 4216 5532 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe ykl32.exe PID 4216 wrote to memory of 3888 4216 ykl32.exe ykl32.exe PID 4216 wrote to memory of 3888 4216 ykl32.exe ykl32.exe PID 4216 wrote to memory of 3888 4216 ykl32.exe ykl32.exe PID 4216 wrote to memory of 3888 4216 ykl32.exe ykl32.exe PID 4216 wrote to memory of 3888 4216 ykl32.exe ykl32.exe PID 5532 wrote to memory of 1772 5532 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe amr32.exe PID 5532 wrote to memory of 1772 5532 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe amr32.exe PID 5532 wrote to memory of 1772 5532 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe amr32.exe PID 1772 wrote to memory of 5724 1772 amr32.exe amr32.exe PID 1772 wrote to memory of 5724 1772 amr32.exe amr32.exe PID 1772 wrote to memory of 5724 1772 amr32.exe amr32.exe PID 1772 wrote to memory of 5724 1772 amr32.exe amr32.exe PID 1772 wrote to memory of 5724 1772 amr32.exe amr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5532 -
C:\Windows\fin32.exe"C:\Windows\fin32.exe" /stext hms.atr2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\fin32.exeC:\Windows\fin32.exe /stext hms.atr3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Drops file in Windows directory
PID:6012 -
C:\Windows\ykl32.exe"C:\Windows\ykl32.exe" /stext gls.fdn2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\ykl32.exeC:\Windows\ykl32.exe /stext gls.fdn3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3888 -
C:\Windows\amr32.exe"C:\Windows\amr32.exe" /stext hrk.klo2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\amr32.exeC:\Windows\amr32.exe /stext hrk.klo3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5e9914753824f503e700ec74e219077f7
SHA1de4b97da5f4e6a804398553f33a23d03feee1a42
SHA25691814933cf6d7937616e776ecba937ca6a50d3c2e3fe332df12eb600592111e1
SHA51230cf6d57f2abe05eb38b34156daaae5e8a9a85a91cfaf5b42b9b527c0d942e876e551b86413b1d0394ad73fcc6e6d91236746c81d0adc32f0f3467c42b2c48bc
-
Filesize
81KB
MD5133c173c5c95ec572e015990029387c3
SHA13686180e408b7a83f693b4146eed84ae684b03a5
SHA2568a85ab91faf309c8001ee265bc724df1319e58d3af3ed789616b512d6a92eab2
SHA51219d04dde12dada208edc03383ddeaa2e545cd2b430fa1a534d2dd7ac545fedbcdd3e9f240e3228ea3d006e7740e7e301703dc76e8e05f3c59ad23d8271fce412
-
Filesize
311B
MD5a81b01be24a2782876a193c0e63c7f12
SHA1a626a5b87b24a956dbd99977795995b6bbb88d74
SHA2567724a27024ecaf8e7fea4e1e3fb54902d87e4c4af5395fb9836433d596f4f41a
SHA512ea2bffb38c29806182ab24a7d8b55270fcc68a729e44b0767f6bd3dd8823bb8b7767561873c49b5eaab5446f63e7081e9525f6388f8b525c3aed04b6154f53bd
-
Filesize
42KB
MD5a32a77d444987c6b39b13d90223b6932
SHA1678257eabad39b317b70d1f91ee67689e20d2729
SHA256d1001a99f08c511dd35aab4ad1cfcc3d546ac8d880d66cd2e19d8963e26a10f9
SHA512f5248e0877c4ffc87449e14d6e757a86af33ce940b1a3cdbd4e9696072e5cc3ed5c45e9093ce618e7011f6089c86b8ebfa19e15a18fe0b15386a604d27c55378