Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 10:23
Static task
static1
Behavioral task
behavioral1
Sample
672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
-
Size
628KB
-
MD5
672fec09c1e3b1c4371a105f2e1b3cbf
-
SHA1
51de31e594739df07c7ecbef4b497f6d24ebf753
-
SHA256
220f60a75ba617d6c57a8b640e4546723646b2655ea146b898993d531186c84c
-
SHA512
f799d44bc56010e87fad6ed9029303e4ca3b69c55be4a475bd0030ff26e7959b07ab69ac0dc62b35747e107b31f540c801dd5a2be00de15edf3463739ca56c48
-
SSDEEP
12288:2eX2dhLTl8BBg31g0Owy/HCdhIw54aGNJhhSoRhBjrhIXa061CPQgcwQhFn:xmdxTODgTOwy/HwhR54aiiItaz61CPnc
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/712-85-0x0000000000400000-0x00000000005B6000-memory.dmp modiloader_stage2 behavioral2/memory/1880-86-0x0000000000400000-0x00000000005B6000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 712 RECYCLER.EXE -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\J: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\M: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\R: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\W: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\Y: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\E: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\I: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\O: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\S: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\U: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\V: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\X: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\Z: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\A: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\B: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\H: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\K: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\L: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\N: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\P: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\Q: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened (read-only) \??\T: 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AutoRun.inf 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened for modification F:\AutoRun.inf 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 712 set thread context of 4140 712 RECYCLER.EXE 88 -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe File created C:\Program Files\_RECYCLER.EXE RECYCLER.EXE File opened for modification C:\Program Files\_RECYCLER.EXE RECYCLER.EXE File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31120622" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428496863" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{837880A9-48E1-11EF-BE68-E2A4B68B11BB} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31120622" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1482869802" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31120622" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1475681909" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1475681909" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4140 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4140 IEXPLORE.EXE 4140 IEXPLORE.EXE 4888 IEXPLORE.EXE 4888 IEXPLORE.EXE 4888 IEXPLORE.EXE 4888 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1880 wrote to memory of 712 1880 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe 87 PID 1880 wrote to memory of 712 1880 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe 87 PID 1880 wrote to memory of 712 1880 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe 87 PID 712 wrote to memory of 4140 712 RECYCLER.EXE 88 PID 712 wrote to memory of 4140 712 RECYCLER.EXE 88 PID 712 wrote to memory of 4140 712 RECYCLER.EXE 88 PID 712 wrote to memory of 4140 712 RECYCLER.EXE 88 PID 1880 wrote to memory of 3800 1880 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe 89 PID 1880 wrote to memory of 3800 1880 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe 89 PID 1880 wrote to memory of 3800 1880 672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe 89 PID 4140 wrote to memory of 4888 4140 IEXPLORE.EXE 91 PID 4140 wrote to memory of 4888 4140 IEXPLORE.EXE 91 PID 4140 wrote to memory of 4888 4140 IEXPLORE.EXE 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE"C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:712 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4140 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4888
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""2⤵PID:3800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172B
MD5927852231949a3349759bf1b81099a00
SHA1859edef102d3daef447a34a2c2db8b3e54a18bf0
SHA2564fe401c28161efc84b7a28d236c79680fd6bc5631d23533ccaa3afe8a13e1297
SHA512cbdcb8194be39dfea6015182a57d043c9e2de807e96283fcc967a243a9f8d6223cca4190082408dfb5b213f08aae0a2a4444787425f22f8c033b2ea8533fe3fb
-
Filesize
212B
MD519032213762b50418eabafd10eadcea3
SHA17d16d9807b64cd9b7de7961add9030a1b6ede268
SHA256f03f6b8065e420c4f1616e8d3c395392a61bc11bd3be75c3fa0958929a3a743a
SHA51222e43c74f4becc6862f33e55dc18b2ad4eaf043a9f4a74082438ffe83f178cbb1940ec68eb4a05d36b20b50d284b03cb6c4364ec4dad8079fc2d812961185555
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
628KB
MD5672fec09c1e3b1c4371a105f2e1b3cbf
SHA151de31e594739df07c7ecbef4b497f6d24ebf753
SHA256220f60a75ba617d6c57a8b640e4546723646b2655ea146b898993d531186c84c
SHA512f799d44bc56010e87fad6ed9029303e4ca3b69c55be4a475bd0030ff26e7959b07ab69ac0dc62b35747e107b31f540c801dd5a2be00de15edf3463739ca56c48