Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 22:00
Behavioral task
behavioral1
Sample
e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe
-
Size
786KB
-
MD5
e11f797fa001457a8de0b985b8efd17e
-
SHA1
69e9c3e1e7b3c260dc300dcd452ecf26ee1aeef0
-
SHA256
111fe6977249740d31b9af738c485b007ad050f6fc450f54b8e4df60789894ad
-
SHA512
fce1cb7ddd88a140786043c4acf1795cf910d28046c2485bf6c5e4e8f7c2fc6514c68de31db4b88ac2ea1b7b43a3a414584f2a9fdd9af2d816656ba87a23c45e
-
SSDEEP
12288:AlZYc2z1y6lc5AgHQPQjd+d6v75Ce6BODa4ATsuPycl4O8yDl4lmTwA:AlKcI1uYPQjd+s755C3zDxl4lmTB
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 7 IoCs
resource yara_rule behavioral1/memory/2524-0-0x0000000000400000-0x00000000004C7000-memory.dmp modiloader_stage2 behavioral1/files/0x0001000000000027-10.dat modiloader_stage2 behavioral1/memory/1928-20-0x0000000000400000-0x00000000004C7000-memory.dmp modiloader_stage2 behavioral1/memory/2764-29-0x0000000000400000-0x00000000004C7000-memory.dmp modiloader_stage2 behavioral1/memory/2524-34-0x0000000000400000-0x00000000004C7000-memory.dmp modiloader_stage2 behavioral1/memory/1928-35-0x0000000000400000-0x00000000004C7000-memory.dmp modiloader_stage2 behavioral1/memory/2524-43-0x0000000000400000-0x00000000004C7000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 1872 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1928 rejoice91.exe -
Loads dropped DLL 5 IoCs
pid Process 2524 e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe 2524 e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe -
resource yara_rule behavioral1/memory/2524-0-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/files/0x0001000000000027-10.dat upx behavioral1/memory/2524-18-0x0000000002090000-0x0000000002157000-memory.dmp upx behavioral1/memory/1928-20-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2764-29-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2524-34-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1928-35-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2524-43-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\H: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\T: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\E: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\G: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\M: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\O: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\R: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\W: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\A: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\B: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\X: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\Q: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\Z: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\I: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\K: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\N: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\P: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\S: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\U: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\Y: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\J: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened (read-only) \??\L: e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\AutoRun.inf e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened for modification C:\AutoRun.inf e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File created F:\AutoRun.inf e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File opened for modification F:\AutoRun.inf e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_rejoice91.exe rejoice91.exe File opened for modification C:\Windows\SysWOW64\_rejoice91.exe rejoice91.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1928 set thread context of 2764 1928 rejoice91.exe 31 -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice91.exe e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice91.exe e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2832 1928 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rejoice91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2524 wrote to memory of 1928 2524 e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe 30 PID 2524 wrote to memory of 1928 2524 e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe 30 PID 2524 wrote to memory of 1928 2524 e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe 30 PID 2524 wrote to memory of 1928 2524 e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2764 1928 rejoice91.exe 31 PID 1928 wrote to memory of 2764 1928 rejoice91.exe 31 PID 1928 wrote to memory of 2764 1928 rejoice91.exe 31 PID 1928 wrote to memory of 2764 1928 rejoice91.exe 31 PID 1928 wrote to memory of 2764 1928 rejoice91.exe 31 PID 1928 wrote to memory of 2764 1928 rejoice91.exe 31 PID 1928 wrote to memory of 2832 1928 rejoice91.exe 32 PID 1928 wrote to memory of 2832 1928 rejoice91.exe 32 PID 1928 wrote to memory of 2832 1928 rejoice91.exe 32 PID 1928 wrote to memory of 2832 1928 rejoice91.exe 32 PID 2524 wrote to memory of 1872 2524 e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe 34 PID 2524 wrote to memory of 1872 2524 e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe 34 PID 2524 wrote to memory of 1872 2524 e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe 34 PID 2524 wrote to memory of 1872 2524 e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e11f797fa001457a8de0b985b8efd17e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice91.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice91.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 2803⤵
- Loads dropped DLL
- Program crash
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD54fcceed71663bb45154c631e73757c53
SHA1e5ae60d8296195c81a65ec412a0cd81637305901
SHA256053b416993af3f05dadb45a0d249eba5d411d180af44071772713db79d61fd2c
SHA5128ca8989c19106ce13f6865d8e518ed7a703608e0e43acd76f16eccb97c8befcb9ef03575b06fa7c8eaceb256882b9aa79983d4baad4ed3d9f4e7c282d753197f
-
Filesize
786KB
MD5e11f797fa001457a8de0b985b8efd17e
SHA169e9c3e1e7b3c260dc300dcd452ecf26ee1aeef0
SHA256111fe6977249740d31b9af738c485b007ad050f6fc450f54b8e4df60789894ad
SHA512fce1cb7ddd88a140786043c4acf1795cf910d28046c2485bf6c5e4e8f7c2fc6514c68de31db4b88ac2ea1b7b43a3a414584f2a9fdd9af2d816656ba87a23c45e