Analysis
-
max time kernel
93s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 22:28
Behavioral task
behavioral1
Sample
23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe
-
Size
310KB
-
MD5
23a927cbd9c1183d623609c6785b4a48
-
SHA1
46ff20d811f54468a155477741a52239b4ce9bd3
-
SHA256
67cad4e8791386300b5b92b384f3283c41bf1ebd7c2b7bbc1c6b5a403db633cc
-
SHA512
e177b948db6e0aefb9eb704e0a038a2e1aa26245fcfcb617ddfdc08f7f915822ac1d4375a86b66ca9092ead9b64b36f8d4390a5c74e7b1f9f2c617851b35fd9e
-
SSDEEP
6144:wimO08F3VCQH4EtteRq659uePSaKqj5PfiEbVPuovA8T:wA089VCg4K4BuUSaKOs6luovA8T
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlogon.exe\"" winlogon.exe -
ModiLoader Second Stage 5 IoCs
resource yara_rule behavioral2/memory/3216-1-0x0000000000400000-0x00000000004A3000-memory.dmp modiloader_stage2 behavioral2/memory/3216-38-0x0000000000400000-0x00000000004A3000-memory.dmp modiloader_stage2 behavioral2/memory/3916-37-0x0000000000400000-0x00000000004A3000-memory.dmp modiloader_stage2 behavioral2/memory/3916-36-0x0000000000400000-0x00000000004A3000-memory.dmp modiloader_stage2 behavioral2/memory/3916-46-0x0000000000400000-0x00000000004A3000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05I41M56-QW07-U20F-YX8T-VB4U6TP4UX63} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05I41M56-QW07-U20F-YX8T-VB4U6TP4UX63}\StubPath = "\"C:\\Windows\\winlogon.exe\"" winlogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 3916 winlogon.exe -
Executes dropped EXE 1 IoCs
pid Process 3916 winlogon.exe -
resource yara_rule behavioral2/memory/3216-0-0x0000000000400000-0x00000000004A3000-memory.dmp upx behavioral2/memory/3216-1-0x0000000000400000-0x00000000004A3000-memory.dmp upx behavioral2/files/0x0008000000023403-6.dat upx behavioral2/memory/3216-38-0x0000000000400000-0x00000000004A3000-memory.dmp upx behavioral2/memory/3916-37-0x0000000000400000-0x00000000004A3000-memory.dmp upx behavioral2/memory/3916-36-0x0000000000400000-0x00000000004A3000-memory.dmp upx behavioral2/memory/3916-46-0x0000000000400000-0x00000000004A3000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\winlogon.exe 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe File opened for modification C:\Windows\winlogon.exe 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
pid pid_target Process procid_target 4616 3216 WerFault.exe 80 2200 3216 WerFault.exe 80 1008 3216 WerFault.exe 80 5096 3216 WerFault.exe 80 1740 3216 WerFault.exe 80 2572 3216 WerFault.exe 80 456 3916 WerFault.exe 94 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3216 wrote to memory of 3916 3216 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe 94 PID 3216 wrote to memory of 3916 3216 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe 94 PID 3216 wrote to memory of 3916 3216 23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe 94 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97 PID 3916 wrote to memory of 3664 3916 winlogon.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 7722⤵
- Program crash
PID:4616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 8682⤵
- Program crash
PID:2200
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 9322⤵
- Program crash
PID:1008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 8642⤵
- Program crash
PID:5096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 9682⤵
- Program crash
PID:1740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 9842⤵
- Program crash
PID:2572
-
-
C:\Windows\winlogon.exe"C:\Windows\winlogon.exe" \melt "C:\Users\Admin\AppData\Local\Temp\23a927cbd9c1183d623609c6785b4a48_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Boot or Logon Autostart Execution: Active Setup
- Deletes itself
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 4723⤵
- Program crash
PID:456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:3664
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3216 -ip 32161⤵PID:4124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3216 -ip 32161⤵PID:3952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3216 -ip 32161⤵PID:4496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3216 -ip 32161⤵PID:4104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3216 -ip 32161⤵PID:4220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3216 -ip 32161⤵PID:856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3916 -ip 39161⤵PID:684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
310KB
MD523a927cbd9c1183d623609c6785b4a48
SHA146ff20d811f54468a155477741a52239b4ce9bd3
SHA25667cad4e8791386300b5b92b384f3283c41bf1ebd7c2b7bbc1c6b5a403db633cc
SHA512e177b948db6e0aefb9eb704e0a038a2e1aa26245fcfcb617ddfdc08f7f915822ac1d4375a86b66ca9092ead9b64b36f8d4390a5c74e7b1f9f2c617851b35fd9e