Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 12:04
Static task
static1
Behavioral task
behavioral1
Sample
e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe
-
Size
5.2MB
-
MD5
e6c85ab76622b1aceaf60c2e936276eb
-
SHA1
57f08c0e95d3b6c4ffae112ec1e5d0e16126b189
-
SHA256
818e8cd865bd1366f8f8f272df6b99b60c769ff66cbb630cfe427976a5a0d24c
-
SHA512
201cd9ee191d8740e90c7b40110d6cca003491cc462059278c384dc8c63b6b89a584ec68d0af09735fbea59af76dbaff46cf6f240f69b9eae0978c8229986c66
-
SSDEEP
49152:F3xknDNbpSyJAYxfPK+gKlH+GOxET1kpLj8qZ1DU:F3xsb06bS+gKVdpxGLxZR
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2668-3-0x0000000000400000-0x00000000009B3000-memory.dmp modiloader_stage2 behavioral1/memory/2668-5-0x0000000000400000-0x00000000009B3000-memory.dmp modiloader_stage2 -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2668 e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\2010.txt e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2668 e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2800 2668 e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2800 2668 e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2800 2668 e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2800 2668 e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6c85ab76622b1aceaf60c2e936276eb_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"2⤵PID:2800
-