Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 20:01
Static task
static1
Behavioral task
behavioral1
Sample
095174c6e40909234aa8db843084b302_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
095174c6e40909234aa8db843084b302_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
095174c6e40909234aa8db843084b302_JaffaCakes118.exe
-
Size
57KB
-
MD5
095174c6e40909234aa8db843084b302
-
SHA1
2dbd14a647d3a7f57181652b0c0a4c94842154c3
-
SHA256
16e422f3893d4d5eb913d89e4de87a17eb61b291f0ca13664abef851b93751c1
-
SHA512
bd18e04e38b4340846f30f67f6a3d027ecdae0ce5ad9181be2800e5f850cfa48518457fcca96870ec0b5b14397625d18d40c641731d597e6392dc917c2048de5
-
SSDEEP
1536:nm7wjsVTJ+p3JrkGLawHE/E2j+EHwnOE1/o88t/T3lBv+:s+sVT45mn/bjnWo8sT1Bm
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3168-3-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\temp.exe modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
temp.exetcpip.exepid process 656 temp.exe 4304 tcpip.exe -
Drops file in System32 directory 4 IoCs
Processes:
temp.exetcpip.exedescription ioc process File created C:\Windows\SysWOW64\mmmmmmmm.bat temp.exe File created C:\Windows\SysWOW64\msiupdata.dll tcpip.exe File created C:\Windows\SysWOW64\tcpip.exe temp.exe File opened for modification C:\Windows\SysWOW64\tcpip.exe temp.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
095174c6e40909234aa8db843084b302_JaffaCakes118.exetemp.exetcpip.exepid process 3168 095174c6e40909234aa8db843084b302_JaffaCakes118.exe 3168 095174c6e40909234aa8db843084b302_JaffaCakes118.exe 3168 095174c6e40909234aa8db843084b302_JaffaCakes118.exe 3168 095174c6e40909234aa8db843084b302_JaffaCakes118.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 4304 tcpip.exe 4304 tcpip.exe 4304 tcpip.exe 4304 tcpip.exe 4304 tcpip.exe 4304 tcpip.exe 4304 tcpip.exe 4304 tcpip.exe 4304 tcpip.exe 4304 tcpip.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 656 temp.exe 4304 tcpip.exe 4304 tcpip.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
temp.exetcpip.exedescription pid process Token: SeDebugPrivilege 656 temp.exe Token: SeDebugPrivilege 4304 tcpip.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
095174c6e40909234aa8db843084b302_JaffaCakes118.execmd.exetemp.exetcpip.exedescription pid process target process PID 3168 wrote to memory of 4968 3168 095174c6e40909234aa8db843084b302_JaffaCakes118.exe cmd.exe PID 3168 wrote to memory of 4968 3168 095174c6e40909234aa8db843084b302_JaffaCakes118.exe cmd.exe PID 3168 wrote to memory of 4968 3168 095174c6e40909234aa8db843084b302_JaffaCakes118.exe cmd.exe PID 4968 wrote to memory of 656 4968 cmd.exe temp.exe PID 4968 wrote to memory of 656 4968 cmd.exe temp.exe PID 4968 wrote to memory of 656 4968 cmd.exe temp.exe PID 656 wrote to memory of 2252 656 temp.exe cmd.exe PID 656 wrote to memory of 2252 656 temp.exe cmd.exe PID 656 wrote to memory of 2252 656 temp.exe cmd.exe PID 4304 wrote to memory of 3484 4304 tcpip.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\095174c6e40909234aa8db843084b302_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\095174c6e40909234aa8db843084b302_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\temp.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\temp.exeC:\Users\Admin\AppData\Local\Temp\temp.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\mmmmmmmm.bat5⤵PID:2252
-
C:\Windows\SysWOW64\tcpip.exeC:\Windows\SysWOW64\tcpip.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD55ec85a8cc55180c83a471e423fa582fc
SHA1b5819903dc81e8e37682566c49fc42072b4b5dfa
SHA256eef41e54a59d4bd70ccfcced60f10a58c75ee13827f629fb566eef2ce43c7af0
SHA51278f952ad04c1c5dca792a87deb9ed20a292364d8ffaf395cec95e0555c2c699dbd65af1e125b498f7cf35bbd796be69b74a87f7f56cc6973f1012cadf9a93c17
-
Filesize
136B
MD5bbb1363ff9d91459fafad63764db72a0
SHA139363d056769002ec16b5bd869d9a3548d5d131b
SHA2564313d66d27196d0fc03c77e21f2b6020adf3f8cf4b7ca6895151c92cf0136bb9
SHA51241bcbaefc2d018f93253202b5fe8864e28b232c3c9a7e7237d74b3a3078dec824fad25045dafc44d3a3faafc0a9bbf3d2d62df08628443a8a1a2fa375974b59a