Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/07/2024, 22:28
Behavioral task
behavioral1
Sample
23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe
-
Size
310KB
-
MD5
23a927cbd9c1183d623609c6785b4a48
-
SHA1
46ff20d811f54468a155477741a52239b4ce9bd3
-
SHA256
67cad4e8791386300b5b92b384f3283c41bf1ebd7c2b7bbc1c6b5a403db633cc
-
SHA512
e177b948db6e0aefb9eb704e0a038a2e1aa26245fcfcb617ddfdc08f7f915822ac1d4375a86b66ca9092ead9b64b36f8d4390a5c74e7b1f9f2c617851b35fd9e
-
SSDEEP
6144:wimO08F3VCQH4EtteRq659uePSaKqj5PfiEbVPuovA8T:wA089VCg4K4BuUSaKOs6luovA8T
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlogon.exe\"" winlogon.exe -
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2156-1-0x0000000000400000-0x00000000004A3000-memory.dmp modiloader_stage2 behavioral1/memory/2156-12-0x0000000000400000-0x00000000004A3000-memory.dmp modiloader_stage2 behavioral1/memory/3036-22-0x0000000000400000-0x00000000004A3000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05I41M56-QW07-U20F-YX8T-VB4U6TP4UX63}\StubPath = "\"C:\\Windows\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05I41M56-QW07-U20F-YX8T-VB4U6TP4UX63} winlogon.exe -
Deletes itself 1 IoCs
pid Process 3036 winlogon.exe -
Executes dropped EXE 1 IoCs
pid Process 3036 winlogon.exe -
resource yara_rule behavioral1/memory/2156-0-0x0000000000400000-0x00000000004A3000-memory.dmp upx behavioral1/memory/2156-1-0x0000000000400000-0x00000000004A3000-memory.dmp upx behavioral1/files/0x0034000000015eaf-7.dat upx behavioral1/memory/2156-12-0x0000000000400000-0x00000000004A3000-memory.dmp upx behavioral1/memory/3036-13-0x0000000000400000-0x00000000004A3000-memory.dmp upx behavioral1/memory/3036-22-0x0000000000400000-0x00000000004A3000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\winlogon.exe 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe File created C:\Windows\winlogon.exe 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 3036 2156 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe 28 PID 2156 wrote to memory of 3036 2156 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe 28 PID 2156 wrote to memory of 3036 2156 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe 28 PID 2156 wrote to memory of 3036 2156 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe 28 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29 PID 3036 wrote to memory of 2392 3036 winlogon.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\winlogon.exe"C:\Windows\winlogon.exe" \melt "C:\Users\Admin\AppData\Local\Temp\23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Boot or Logon Autostart Execution: Active Setup
- Deletes itself
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2392
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
310KB
MD523a927cbd9c1183d623609c6785b4a48
SHA146ff20d811f54468a155477741a52239b4ce9bd3
SHA25667cad4e8791386300b5b92b384f3283c41bf1ebd7c2b7bbc1c6b5a403db633cc
SHA512e177b948db6e0aefb9eb704e0a038a2e1aa26245fcfcb617ddfdc08f7f915822ac1d4375a86b66ca9092ead9b64b36f8d4390a5c74e7b1f9f2c617851b35fd9e