Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe
-
Size
312KB
-
MD5
2420a8ae643989b2f74e76ce2b01f816
-
SHA1
c808e8ae367ea9828181a971fd4f0e02674037f0
-
SHA256
3cb083da3bbbaca5c4c4142f7ba140f14a95ac8c5f60b0134baa720d4965ed9f
-
SHA512
50fb821d95203eb370b085f391764afc74b410c74195b6d5991c5cacfd8a8b536c5f3b15a1d9f472f73d89fc01775949bf2fcae2fbdf00ae1474c4453521dc61
-
SSDEEP
6144:vUgKONc123zljl7qdiY8JOGBGhxm/K1hR7G0fM/COjrI92j5OkWZ0:MgKmNl7qP8JnG7mKra0f5OjrI921NW2
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2128-25-0x0000000000400000-0x00000000004CA000-memory.dmp modiloader_stage2 behavioral1/memory/2056-26-0x0000000000400000-0x00000000004CA000-memory.dmp modiloader_stage2 behavioral1/memory/2128-38-0x0000000000400000-0x00000000004CA000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 2416 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2056 360Setup.exe -
Loads dropped DLL 7 IoCs
pid Process 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 2056 360Setup.exe 2056 360Setup.exe 2056 360Setup.exe 2516 WerFault.exe 2516 WerFault.exe 2516 WerFault.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\W: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\Z: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\E: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\M: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\S: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\T: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\X: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\H: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\Q: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\K: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\R: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\B: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\J: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\I: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\L: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\N: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\O: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\U: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\V: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\A: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\G: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\Y: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\AutoRun.inf 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened for modification C:\AutoRun.inf 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File created F:\AutoRun.inf 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened for modification F:\AutoRun.inf 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_360Setup.exe 360Setup.exe File opened for modification C:\Windows\SysWOW64\_360Setup.exe 360Setup.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\360Setup.exe 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened for modification C:\Program Files\360Setup.exe 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File created C:\Program Files\SxDel.bat 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2516 2056 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2056 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 28 PID 2128 wrote to memory of 2056 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 28 PID 2128 wrote to memory of 2056 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 28 PID 2128 wrote to memory of 2056 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 28 PID 2128 wrote to memory of 2056 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 28 PID 2128 wrote to memory of 2056 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 28 PID 2128 wrote to memory of 2056 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 28 PID 2056 wrote to memory of 2516 2056 360Setup.exe 29 PID 2056 wrote to memory of 2516 2056 360Setup.exe 29 PID 2056 wrote to memory of 2516 2056 360Setup.exe 29 PID 2056 wrote to memory of 2516 2056 360Setup.exe 29 PID 2056 wrote to memory of 2516 2056 360Setup.exe 29 PID 2056 wrote to memory of 2516 2056 360Setup.exe 29 PID 2056 wrote to memory of 2516 2056 360Setup.exe 29 PID 2128 wrote to memory of 2416 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 30 PID 2128 wrote to memory of 2416 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 30 PID 2128 wrote to memory of 2416 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 30 PID 2128 wrote to memory of 2416 2128 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Program Files\360Setup.exe"C:\Program Files\360Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 3283⤵
- Loads dropped DLL
- Program crash
PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\SxDel.bat""2⤵
- Deletes itself
PID:2416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5322220ceadafaff7b2af326d09309d87
SHA1bf1e27aba2b45b990f4f28954a41478e3021d7bc
SHA2566886507f23722b31222e03c5c60a07b7c3ec6d6e6685566952e2cdd63c9e0f84
SHA512f95b8e73fe317f996322ddc0a3133305e23a1c3e469d699e2197f7278e9953bb04ba0bbccdeeb7ca173128035c87006e7b8edb44e7a7732b9ed47514368c4d7d
-
Filesize
312KB
MD52420a8ae643989b2f74e76ce2b01f816
SHA1c808e8ae367ea9828181a971fd4f0e02674037f0
SHA2563cb083da3bbbaca5c4c4142f7ba140f14a95ac8c5f60b0134baa720d4965ed9f
SHA51250fb821d95203eb370b085f391764afc74b410c74195b6d5991c5cacfd8a8b536c5f3b15a1d9f472f73d89fc01775949bf2fcae2fbdf00ae1474c4453521dc61