Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31-10-2024 14:11
Static task
static1
Behavioral task
behavioral1
Sample
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe
-
Size
723KB
-
MD5
833e25233992bb9556c609abdcadd11a
-
SHA1
3e80b309e2b3405906b4a1bf19d026ba3399e5ab
-
SHA256
a5e4209934ad961d7ba16168366b73ff156cb47fde69647dbd3ae74b315428fa
-
SHA512
5f2da24ff3122337af58ecacc6bb427778b8fa072569a4aebb553d0ab3a6dde31a1d92cd42c6de44dd786afc260a398662cd0684d92428477fa52f24909bbced
-
SSDEEP
12288:MmiUu4i7Qgq0TRo48OY+ahueMKzlZF3Z4mxxMDqVTVOCu:qUuDlq0TeT2aHZQmXrVTzu
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000018731-47.dat modiloader_stage2 behavioral1/memory/2916-74-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral1/memory/2856-86-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral1/memory/2120-93-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral1/memory/2120-94-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
Processes:
2.EXE1.EXEServer46.exepid Process 1152 2.EXE 2856 1.EXE 2120 Server46.exe -
Loads dropped DLL 9 IoCs
Processes:
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe2.EXE1.EXEWerFault.exepid Process 2364 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe 2364 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe 1152 2.EXE 1152 2.EXE 2856 1.EXE 2856 1.EXE 2736 WerFault.exe 2736 WerFault.exe 2736 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe2.EXEdescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" 2.EXE -
Drops file in System32 directory 2 IoCs
Processes:
Server46.exedescription ioc Process File created C:\Windows\SysWOW64\_Server46.exe Server46.exe File opened for modification C:\Windows\SysWOW64\_Server46.exe Server46.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Server46.exedescription pid Process procid_target PID 2120 set thread context of 2916 2120 Server46.exe 34 -
Drops file in Program Files directory 3 IoCs
Processes:
1.EXEdescription ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server46.exe 1.EXE File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat 1.EXE File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server46.exe 1.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2736 2120 WerFault.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe2.EXE1.EXEServer46.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe2.EXE1.EXEServer46.exedescription pid Process procid_target PID 2364 wrote to memory of 1152 2364 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe 31 PID 2364 wrote to memory of 1152 2364 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe 31 PID 2364 wrote to memory of 1152 2364 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe 31 PID 2364 wrote to memory of 1152 2364 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe 31 PID 1152 wrote to memory of 2856 1152 2.EXE 32 PID 1152 wrote to memory of 2856 1152 2.EXE 32 PID 1152 wrote to memory of 2856 1152 2.EXE 32 PID 1152 wrote to memory of 2856 1152 2.EXE 32 PID 2856 wrote to memory of 2120 2856 1.EXE 33 PID 2856 wrote to memory of 2120 2856 1.EXE 33 PID 2856 wrote to memory of 2120 2856 1.EXE 33 PID 2856 wrote to memory of 2120 2856 1.EXE 33 PID 2120 wrote to memory of 2916 2120 Server46.exe 34 PID 2120 wrote to memory of 2916 2120 Server46.exe 34 PID 2120 wrote to memory of 2916 2120 Server46.exe 34 PID 2120 wrote to memory of 2916 2120 Server46.exe 34 PID 2120 wrote to memory of 2916 2120 Server46.exe 34 PID 2120 wrote to memory of 2916 2120 Server46.exe 34 PID 2120 wrote to memory of 2736 2120 Server46.exe 35 PID 2120 wrote to memory of 2736 2120 Server46.exe 35 PID 2120 wrote to memory of 2736 2120 Server46.exe 35 PID 2120 wrote to memory of 2736 2120 Server46.exe 35 PID 2856 wrote to memory of 2164 2856 1.EXE 36 PID 2856 wrote to memory of 2164 2856 1.EXE 36 PID 2856 wrote to memory of 2164 2856 1.EXE 36 PID 2856 wrote to memory of 2164 2856 1.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server46.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server46.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"5⤵PID:2916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 2805⤵
- Loads dropped DLL
- Program crash
PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""4⤵
- System Location Discovery: System Language Discovery
PID:2164
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5b309e9e57716fc723c7af6a5540ce26b
SHA1b8fa54b99bd4e2b1ea053dcb875b4e36e0fe21af
SHA2564c9f013f5d7f280c77ad55367f03bb8547bf75adb9156700bb464bbad346a32f
SHA5123e5fc2a50f4da949d523bdeb90982da6e136d912309e2507f2c2d77c6c2742caaeaa893954fcf03b44ea87898e9f937c1e82138d7257824213eb8f12e8ebc44e
-
Filesize
384KB
MD5c3723be6af33ad517e39fa597ce71fac
SHA1561c9a87697dd868c496068012f40d7212eb8a21
SHA2569f9567f0db994890bb45ab99dff19b0b378b164636417eda6239168a19459335
SHA5126dbd71d0a12ab79b317a5e7460df1c8c5af54587b272c4a7a1680447826d443c1abf53bd0b4931a40df032de1f5408a236c2dbda8c11cc14350fab61c7e1e255
-
Filesize
735KB
MD55f1c201abad80f62e146ef0831fbc383
SHA1d7572f3e3dfd527c1566aa4014da6e8edccf4761
SHA2560c267746c139f103c25f03596b86bc53d2e40242bb1e087d584c5b389215f70d
SHA512c9d72c4affb34ee429078859f0feff41aab98c2c19ddb57e7847f8013ded6346a8e6b24d6863c6586fac9ceec757ac700782c99ce9471edea68a13f9b80500f4