Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 12:04

General

  • Target

    e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe

  • Size

    5.2MB

  • MD5

    e6c85ab76622b1aceaf60c2e936276eb

  • SHA1

    57f08c0e95d3b6c4ffae112ec1e5d0e16126b189

  • SHA256

    818e8cd865bd1366f8f8f272df6b99b60c769ff66cbb630cfe427976a5a0d24c

  • SHA512

    201cd9ee191d8740e90c7b40110d6cca003491cc462059278c384dc8c63b6b89a584ec68d0af09735fbea59af76dbaff46cf6f240f69b9eae0978c8229986c66

  • SSDEEP

    49152:F3xknDNbpSyJAYxfPK+gKlH+GOxET1kpLj8qZ1DU:F3xsb06bS+gKVdpxGLxZR

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 2 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      2⤵
        PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2668-0-0x0000000000400000-0x00000000009B3000-memory.dmp

      Filesize

      5.7MB

    • memory/2668-1-0x0000000000401000-0x0000000000451000-memory.dmp

      Filesize

      320KB

    • memory/2668-3-0x0000000000400000-0x00000000009B3000-memory.dmp

      Filesize

      5.7MB

    • memory/2668-5-0x0000000000400000-0x00000000009B3000-memory.dmp

      Filesize

      5.7MB

    • memory/2668-4-0x0000000000401000-0x0000000000451000-memory.dmp

      Filesize

      320KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.