Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe
-
Size
312KB
-
MD5
2420a8ae643989b2f74e76ce2b01f816
-
SHA1
c808e8ae367ea9828181a971fd4f0e02674037f0
-
SHA256
3cb083da3bbbaca5c4c4142f7ba140f14a95ac8c5f60b0134baa720d4965ed9f
-
SHA512
50fb821d95203eb370b085f391764afc74b410c74195b6d5991c5cacfd8a8b536c5f3b15a1d9f472f73d89fc01775949bf2fcae2fbdf00ae1474c4453521dc61
-
SSDEEP
6144:vUgKONc123zljl7qdiY8JOGBGhxm/K1hR7G0fM/COjrI92j5OkWZ0:MgKmNl7qP8JnG7mKra0f5OjrI921NW2
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/4740-20-0x0000000000400000-0x00000000004CA000-memory.dmp modiloader_stage2 behavioral2/memory/232-22-0x0000000000400000-0x00000000004CA000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 4740 360Setup.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\Q: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\S: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\Z: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\G: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\U: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\X: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\N: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\I: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\M: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\O: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\R: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\T: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\V: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\W: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\E: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\B: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\H: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\J: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\L: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\P: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\Y: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened (read-only) \??\A: 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AutoRun.inf 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File created C:\AutoRun.inf 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened for modification C:\AutoRun.inf 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File created F:\AutoRun.inf 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_360Setup.exe 360Setup.exe File opened for modification C:\Windows\SysWOW64\_360Setup.exe 360Setup.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4740 set thread context of 1628 4740 360Setup.exe 82 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\360Setup.exe 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File opened for modification C:\Program Files\360Setup.exe 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe File created C:\Program Files\SxDel.bat 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4588 1628 WerFault.exe 82 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 232 wrote to memory of 4740 232 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 81 PID 232 wrote to memory of 4740 232 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 81 PID 232 wrote to memory of 4740 232 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 81 PID 4740 wrote to memory of 1628 4740 360Setup.exe 82 PID 4740 wrote to memory of 1628 4740 360Setup.exe 82 PID 4740 wrote to memory of 1628 4740 360Setup.exe 82 PID 4740 wrote to memory of 1628 4740 360Setup.exe 82 PID 4740 wrote to memory of 1628 4740 360Setup.exe 82 PID 232 wrote to memory of 2452 232 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 84 PID 232 wrote to memory of 2452 232 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 84 PID 232 wrote to memory of 2452 232 2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2420a8ae643989b2f74e76ce2b01f816_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Program Files\360Setup.exe"C:\Program Files\360Setup.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵PID:1628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 124⤵
- Program crash
PID:4588
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SxDel.bat""2⤵PID:2452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1628 -ip 16281⤵PID:4612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5322220ceadafaff7b2af326d09309d87
SHA1bf1e27aba2b45b990f4f28954a41478e3021d7bc
SHA2566886507f23722b31222e03c5c60a07b7c3ec6d6e6685566952e2cdd63c9e0f84
SHA512f95b8e73fe317f996322ddc0a3133305e23a1c3e469d699e2197f7278e9953bb04ba0bbccdeeb7ca173128035c87006e7b8edb44e7a7732b9ed47514368c4d7d
-
Filesize
312KB
MD52420a8ae643989b2f74e76ce2b01f816
SHA1c808e8ae367ea9828181a971fd4f0e02674037f0
SHA2563cb083da3bbbaca5c4c4142f7ba140f14a95ac8c5f60b0134baa720d4965ed9f
SHA51250fb821d95203eb370b085f391764afc74b410c74195b6d5991c5cacfd8a8b536c5f3b15a1d9f472f73d89fc01775949bf2fcae2fbdf00ae1474c4453521dc61