Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 23:02

General

  • Target

    23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe

  • Size

    320KB

  • MD5

    23c45f6ca292ee2b645dc2bb3da12993

  • SHA1

    aef38822f494c71b0f84a3ce7d72fcf03fb768b8

  • SHA256

    941a598e52d20ab1a145a29a6db14115544626fa8e85908eacf06415eb63c73e

  • SHA512

    3c361a8c0e80620eea4460e007c6f57ffe0949ca2dc14e02469ea427b7971c46f28cd77729a7fe7337f836cca05e1bb8317acc7cce3fae2dd74cdc90b6ff3ce0

  • SSDEEP

    6144:Le7bMGJKSTghRKmrTCWfYHbKqSMaJMaPg3j16bGgrz9x4dyfzvNNBadSQZmW5oM+:Le7wUKSTgn9rzfYHGOaHPMMbnG81NBPB

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 3 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\windows_ipcomfig
      C:\Windows\windows_ipcomfig
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\osk.exe
        "C:\Windows\system32\osk.exe"
        3⤵
          PID:2652
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 280
          3⤵
          • Program crash
          PID:2656
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\ReDelBat.bat
        2⤵
        • Deletes itself
        PID:2628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\ReDelBat.bat

      Filesize

      212B

      MD5

      02be46d6d8dc02d6e10217bf4c9a5702

      SHA1

      704210e0ecfc24b62e85c1958f940b7f5600d6c6

      SHA256

      7674b472a334a4e7b0e71dc7e96ebbe87c684fcd3ea5c2ace9ddd9a905c4dfc5

      SHA512

      63356afe1304d93bc9067a9e85153e44c3889867004e30e13be8815dae328e48fa93eec17608afb76284007a59ce26375af3752a42b8e7c67042500540792d68

    • F:\AutoRun.inf

      Filesize

      184B

      MD5

      f523fc2c9cd2cae0ff1c89cd08572d89

      SHA1

      78330e1621fdc200b742cbcaedc598c7033d88e4

      SHA256

      6c4de927033652cf18e7a3707ff45c288b97b9fae1c33ed763d1feb8cea173a7

      SHA512

      80e0e03f577560fa61649257adde0012938102147a1aad9da957dd9698ec1212fa01dfe3efa45351f0eeccdd903d3c9d4e66bda60e1e964c965267ac2a8f7d76

    • F:\windows_ipcomfig

      Filesize

      320KB

      MD5

      23c45f6ca292ee2b645dc2bb3da12993

      SHA1

      aef38822f494c71b0f84a3ce7d72fcf03fb768b8

      SHA256

      941a598e52d20ab1a145a29a6db14115544626fa8e85908eacf06415eb63c73e

      SHA512

      3c361a8c0e80620eea4460e007c6f57ffe0949ca2dc14e02469ea427b7971c46f28cd77729a7fe7337f836cca05e1bb8317acc7cce3fae2dd74cdc90b6ff3ce0

    • memory/2012-33-0x0000000000340000-0x0000000000341000-memory.dmp

      Filesize

      4KB

    • memory/2012-43-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2652-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2652-38-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2652-36-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2740-19-0x0000000000580000-0x0000000000581000-memory.dmp

      Filesize

      4KB

    • memory/2740-42-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB

    • memory/2740-55-0x0000000000400000-0x00000000004C5000-memory.dmp

      Filesize

      788KB