Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 06:17
Static task
static1
Behavioral task
behavioral1
Sample
24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe
-
Size
597KB
-
MD5
24ea45716e1f4fe1eeb203637eb77f9f
-
SHA1
c1d9c0c1770c9d8192cdd397242b176901dd4714
-
SHA256
e3d76d970541997e04cdeea6fdef66ee9955f50dc73cb50576aea670587bb2ed
-
SHA512
831c82584dc2c3b869aab34afb881614f99b87be7f594ee6dd2cc0dce5b521037dde0e0113f6bfc561e3945d43b429b4e59e6daa606a28afc9d2cfc86195dcb1
-
SSDEEP
12288:0uUuIk3sYOZy/P8FNiKJ+aq8uWmzxNWmbBqQQ3szCJ:0Rtk3lb/PVKJ3qNrnBTQcs
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/1888-18-0x0000000000400000-0x00000000004FF000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 1888 4.exe -
Loads dropped DLL 3 IoCs
pid Process 840 24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe 840 24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe 1888 4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt 4.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2572 1888 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 840 wrote to memory of 1888 840 24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe 28 PID 840 wrote to memory of 1888 840 24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe 28 PID 840 wrote to memory of 1888 840 24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe 28 PID 840 wrote to memory of 1888 840 24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe 28 PID 840 wrote to memory of 1888 840 24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe 28 PID 840 wrote to memory of 1888 840 24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe 28 PID 840 wrote to memory of 1888 840 24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe 28 PID 1888 wrote to memory of 2660 1888 4.exe 29 PID 1888 wrote to memory of 2660 1888 4.exe 29 PID 1888 wrote to memory of 2660 1888 4.exe 29 PID 1888 wrote to memory of 2660 1888 4.exe 29 PID 1888 wrote to memory of 2660 1888 4.exe 29 PID 1888 wrote to memory of 2660 1888 4.exe 29 PID 1888 wrote to memory of 2660 1888 4.exe 29 PID 1888 wrote to memory of 2572 1888 4.exe 30 PID 1888 wrote to memory of 2572 1888 4.exe 30 PID 1888 wrote to memory of 2572 1888 4.exe 30 PID 1888 wrote to memory of 2572 1888 4.exe 30 PID 1888 wrote to memory of 2572 1888 4.exe 30 PID 1888 wrote to memory of 2572 1888 4.exe 30 PID 1888 wrote to memory of 2572 1888 4.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:2660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 3723⤵
- Program crash
PID:2572
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
561KB
MD58df047fd8e9c5657dd4ca86d40919995
SHA18cecf1b3b0a13f09e4fa3d5d6d69f07c51dfeaba
SHA256ab4a5bb05b5c09a8b9e99caddd1f07583be6a77bb9ca4d3f0f7aa50d4b34b822
SHA512c469ece17c940301e920ae7651e28d03eb0af7b3b32ee7094cfb73bbebc443edfa90e371631b871307db7631e0ed3f8837a680712286ec4f86be0a5cfcb15512