bruteratel | 47d939c48079872afc12ba969ce65ce8e0bf900e2c596ee7a6e2e5433ab2788f

General

Target

e4110081bf11752760525a88cef01690_JaffaCakes118.exe
Size

1.0MB
MD5

e4110081bf11752760525a88cef01690
SHA1

ec723835051ba18424fceeefd640ce436b417f43
SHA256

47d939c48079872afc12ba969ce65ce8e0bf900e2c596ee7a6e2e5433ab2788f
SHA512

b04dcf7dd8e8bd6dbce9fe31629a2c3704ea6addeda54b6342dca8c6674fdae18b3c7849cc7f4f5bceb5b64ccf12ab7f91455694d3d5bacb3c0953e1fe61eb6a
SSDEEP

12288:3WHuC1d0K+cGaFjkLkzPQGEqYxS8Mz8C6VyPPFB/ONVHW7iwKaVE5PChwVlyN14u:GNAGGaFjc1lMz8C6VmPyuPhug45LEBa

Score

10^/10

bruteratel modiloader backdoor discovery evasion trojan

Malware Config

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4588-19-0x0000000000400000-0x000000000050F000-memory.dmp	modiloader_stage2

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ãÓäÌÑ.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ãÓäÌÑ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e4110081bf11752760525a88cef01690_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	e4110081bf11752760525a88cef01690_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

Magic-PS v1.5 Final (Private).exeãÓäÌÑ.exe

pid	Process
1160	Magic-PS v1.5 Final (Private).exe
3392	ãÓäÌÑ.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ãÓäÌÑ.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine	ãÓäÌÑ.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ãÓäÌÑ.exe

pid	Process
3392	ãÓäÌÑ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Magic-PS v1.5 Final (Private).exeãÓäÌÑ.exee4110081bf11752760525a88cef01690_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magic-PS v1.5 Final (Private).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ãÓäÌÑ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4110081bf11752760525a88cef01690_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ãÓäÌÑ.exe

pid	Process
3392	ãÓäÌÑ.exe
3392	ãÓäÌÑ.exe
3392	ãÓäÌÑ.exe
3392	ãÓäÌÑ.exe
3392	ãÓäÌÑ.exe
3392	ãÓäÌÑ.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

e4110081bf11752760525a88cef01690_JaffaCakes118.exeãÓäÌÑ.exe

description	pid	Process	procid_target
PID 4588 wrote to memory of 1160	4588	e4110081bf11752760525a88cef01690_JaffaCakes118.exe	86
PID 4588 wrote to memory of 1160	4588	e4110081bf11752760525a88cef01690_JaffaCakes118.exe	86
PID 4588 wrote to memory of 1160	4588	e4110081bf11752760525a88cef01690_JaffaCakes118.exe	86
PID 4588 wrote to memory of 3392	4588	e4110081bf11752760525a88cef01690_JaffaCakes118.exe	87
PID 4588 wrote to memory of 3392	4588	e4110081bf11752760525a88cef01690_JaffaCakes118.exe	87
PID 4588 wrote to memory of 3392	4588	e4110081bf11752760525a88cef01690_JaffaCakes118.exe	87
PID 3392 wrote to memory of 3536	3392	ãÓäÌÑ.exe	56
PID 3392 wrote to memory of 3536	3392	ãÓäÌÑ.exe	56
PID 3392 wrote to memory of 3536	3392	ãÓäÌÑ.exe	56
PID 3392 wrote to memory of 3536	3392	ãÓäÌÑ.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\e4110081bf11752760525a88cef01690_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e4110081bf11752760525a88cef01690_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Users\Admin\AppData\Local\Temp\Magic-PS v1.5 Final (Private).exe
    "C:\Users\Admin\AppData\Local\Temp\Magic-PS v1.5 Final (Private).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\ãÓäÌÑ.exe
    "C:\Users\Admin\AppData\Local\Temp\ãÓäÌÑ.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Magic-PS v1.5 Final (Private).exe

Filesize
215KB

MD5
e9459ea11eb9d6878651e1409207de1b

SHA1
b7dd28ddea8a69b8464d546fa81e3cd7fae7433b

SHA256
d1c67f09f8c7e2f23d3f17829905527da266b6dfba9fb9d25d7acd1302f8aeea

SHA512
80bcf0be808d3da8e45e9faa6b785fc495c1225dbd8aced45c25dde24f1c05fdc7317ab2c451e25e2296d331af432c8a629f6eb71ff9addb7787c5b9a7e2f62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ãÓäÌÑ.exe

Filesize
827KB

MD5
b3f94a01f0eb23e5ca96bc88a06d7566

SHA1
14a5a93dc2cd47615ae855740386cc8eb39176ac

SHA256
e4edefb22112c412a7b35cd001ce7ed0b24e23680f2ee3fe3130f1c0caf16f22

SHA512
7932f62922bf80121c1d5186144c79d376f8238fa142c310be8247157e4165fca8e75e8627e9791660fb086e483ee22ff057622b1f55dabf2d9724285e76cfa7

Download Submit
memory/1160-17-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1160-16-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1160-28-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1160-30-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3392-18-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3392-21-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3392-20-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download
memory/3536-23-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3536-24-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/4588-19-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads