Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-09-2024 13:45
Behavioral task
behavioral1
Sample
f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe
-
Size
90KB
-
MD5
f3c5e2979473915ce47514b9a9a0991e
-
SHA1
005501244bfe45e4a4f02ff5ca0dc2c728e56057
-
SHA256
d804fd595e9008d7b90bf18c2ce3680a5a7f9bd609629db3cb2dc602cd5c2cb4
-
SHA512
3a89c92f490141a058ea294e2457fe6f123fe525fd00b6effed87b3bd8bd62228c957c489c7e1117319820cb7347c02ed58cbed946823b3f41769a832f099488
-
SSDEEP
1536:C9Pcb2OD+70Q8kIlHEOkXGHOUkXdtg/WqrT7J1O1CX1XFfpup7c9ipR:gcb/D+bFgjkCX1VQRc8pR
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service 3 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\Taskmngr.exe = "C:\\Program Files (x86)\\Common Files\\System\\Taskmngr.exe:*:Enabled:Windows Update" Taskmngr.exe -
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2108-4-0x0000000010000000-0x000000001001E000-memory.dmp modiloader_stage2 behavioral1/files/0x000a000000012233-10.dat modiloader_stage2 behavioral1/memory/3052-25-0x0000000010000000-0x000000001001E000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 3052 Taskmngr.exe 2260 Taskmngr.exe -
Loads dropped DLL 3 IoCs
pid Process 2992 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 2992 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 3052 Taskmngr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Program Files (x86)\\Common Files\\System\\Taskmngr.exe" Taskmngr.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2108 set thread context of 2992 2108 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 30 PID 3052 set thread context of 2260 3052 Taskmngr.exe 32 -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\System\Taskmngr.exe f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\System\Taskmngr.exe f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\System Taskmngr.exe File created C:\Program Files (x86)\Common Files\System\Taskmngr.exe Taskmngr.exe File opened for modification C:\Program Files (x86)\Common Files\System\Taskmngr.exe Taskmngr.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Taskmngr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2992 2108 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 30 PID 2108 wrote to memory of 2992 2108 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 30 PID 2108 wrote to memory of 2992 2108 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 30 PID 2108 wrote to memory of 2992 2108 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 30 PID 2108 wrote to memory of 2992 2108 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 30 PID 2108 wrote to memory of 2992 2108 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 30 PID 2992 wrote to memory of 3052 2992 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 31 PID 2992 wrote to memory of 3052 2992 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 31 PID 2992 wrote to memory of 3052 2992 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 31 PID 2992 wrote to memory of 3052 2992 f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2260 3052 Taskmngr.exe 32 PID 3052 wrote to memory of 2260 3052 Taskmngr.exe 32 PID 3052 wrote to memory of 2260 3052 Taskmngr.exe 32 PID 3052 wrote to memory of 2260 3052 Taskmngr.exe 32 PID 3052 wrote to memory of 2260 3052 Taskmngr.exe 32 PID 3052 wrote to memory of 2260 3052 Taskmngr.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Program Files (x86)\Common Files\System\Taskmngr.exe"C:\Program Files (x86)\Common Files\System\Taskmngr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Program Files (x86)\Common Files\System\Taskmngr.exe"C:\Program Files (x86)\Common Files\System\Taskmngr.exe"4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2260
-
-
-
Network
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN A
-
Remote address:8.8.8.8:53Requestsluts.no-ip.orgIN AResponse
-
305 B 5
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
-
305 B 5
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
-
305 B 5
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
-
305 B 5
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
-
305 B 5
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
DNS Request
sluts.no-ip.org
-
61 B 121 B 1 1
DNS Request
sluts.no-ip.org
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5f3c5e2979473915ce47514b9a9a0991e
SHA1005501244bfe45e4a4f02ff5ca0dc2c728e56057
SHA256d804fd595e9008d7b90bf18c2ce3680a5a7f9bd609629db3cb2dc602cd5c2cb4
SHA5123a89c92f490141a058ea294e2457fe6f123fe525fd00b6effed87b3bd8bd62228c957c489c7e1117319820cb7347c02ed58cbed946823b3f41769a832f099488