Analysis
-
max time kernel
125s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 23:02
Static task
static1
Behavioral task
behavioral1
Sample
23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe
-
Size
320KB
-
MD5
23c45f6ca292ee2b645dc2bb3da12993
-
SHA1
aef38822f494c71b0f84a3ce7d72fcf03fb768b8
-
SHA256
941a598e52d20ab1a145a29a6db14115544626fa8e85908eacf06415eb63c73e
-
SHA512
3c361a8c0e80620eea4460e007c6f57ffe0949ca2dc14e02469ea427b7971c46f28cd77729a7fe7337f836cca05e1bb8317acc7cce3fae2dd74cdc90b6ff3ce0
-
SSDEEP
6144:Le7bMGJKSTghRKmrTCWfYHbKqSMaJMaPg3j16bGgrz9x4dyfzvNNBadSQZmW5oM+:Le7wUKSTgn9rzfYHGOaHPMMbnG81NBPB
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/2652-33-0x0000000000400000-0x00000000004C5000-memory.dmp modiloader_stage2 behavioral2/memory/4180-35-0x0000000000400000-0x00000000004C5000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2652 windows_ipcomfig -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\V: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\W: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\B: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\E: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\O: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\R: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\S: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\X: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\A: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\J: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\U: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\I: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\M: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\P: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\Y: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\Z: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\Q: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\G: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\H: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\K: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\L: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened (read-only) \??\N: 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AutoRun.inf 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened for modification F:\AutoRun.inf 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\_windows_ipcomfig windows_ipcomfig File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\_windows_ipcomfig windows_ipcomfig -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\windows_ipcomfig 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File opened for modification C:\Windows\windows_ipcomfig 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe File created C:\Windows\ReDelBat.bat 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4180 wrote to memory of 2652 4180 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe 88 PID 4180 wrote to memory of 2652 4180 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe 88 PID 4180 wrote to memory of 2652 4180 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe 88 PID 2652 wrote to memory of 1856 2652 windows_ipcomfig 89 PID 2652 wrote to memory of 1856 2652 windows_ipcomfig 89 PID 4180 wrote to memory of 3504 4180 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe 90 PID 4180 wrote to memory of 3504 4180 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe 90 PID 4180 wrote to memory of 3504 4180 23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23c45f6ca292ee2b645dc2bb3da12993_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\windows_ipcomfigC:\Windows\windows_ipcomfig2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:1856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\ReDelBat.bat2⤵PID:3504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:81⤵PID:3528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD5f523fc2c9cd2cae0ff1c89cd08572d89
SHA178330e1621fdc200b742cbcaedc598c7033d88e4
SHA2566c4de927033652cf18e7a3707ff45c288b97b9fae1c33ed763d1feb8cea173a7
SHA51280e0e03f577560fa61649257adde0012938102147a1aad9da957dd9698ec1212fa01dfe3efa45351f0eeccdd903d3c9d4e66bda60e1e964c965267ac2a8f7d76
-
Filesize
212B
MD502be46d6d8dc02d6e10217bf4c9a5702
SHA1704210e0ecfc24b62e85c1958f940b7f5600d6c6
SHA2567674b472a334a4e7b0e71dc7e96ebbe87c684fcd3ea5c2ace9ddd9a905c4dfc5
SHA51263356afe1304d93bc9067a9e85153e44c3889867004e30e13be8815dae328e48fa93eec17608afb76284007a59ce26375af3752a42b8e7c67042500540792d68
-
Filesize
320KB
MD523c45f6ca292ee2b645dc2bb3da12993
SHA1aef38822f494c71b0f84a3ce7d72fcf03fb768b8
SHA256941a598e52d20ab1a145a29a6db14115544626fa8e85908eacf06415eb63c73e
SHA5123c361a8c0e80620eea4460e007c6f57ffe0949ca2dc14e02469ea427b7971c46f28cd77729a7fe7337f836cca05e1bb8317acc7cce3fae2dd74cdc90b6ff3ce0