Analysis

  • max time kernel
    136s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 14:11

General

  • Target

    833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe

  • Size

    723KB

  • MD5

    833e25233992bb9556c609abdcadd11a

  • SHA1

    3e80b309e2b3405906b4a1bf19d026ba3399e5ab

  • SHA256

    a5e4209934ad961d7ba16168366b73ff156cb47fde69647dbd3ae74b315428fa

  • SHA512

    5f2da24ff3122337af58ecacc6bb427778b8fa072569a4aebb553d0ab3a6dde31a1d92cd42c6de44dd786afc260a398662cd0684d92428477fa52f24909bbced

  • SSDEEP

    12288:MmiUu4i7Qgq0TRo48OY+ahueMKzlZF3Z4mxxMDqVTVOCu:qUuDlq0TeT2aHZQmXrVTzu

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 5 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.EXE
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.EXE
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server46.exe
          "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server46.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3592
          • C:\Windows\SysWOW64\calc.exe
            "C:\Windows\system32\calc.exe"
            5⤵
              PID:3916
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 12
                6⤵
                • Program crash
                PID:708
            • C:\program files\internet explorer\IEXPLORE.EXE
              "C:\program files\internet explorer\IEXPLORE.EXE"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3300
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3300 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4996
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""
            4⤵
            • System Location Discovery: System Language Discovery
            PID:432
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3916 -ip 3916
      1⤵
        PID:1620

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat

        Filesize

        144B

        MD5

        b309e9e57716fc723c7af6a5540ce26b

        SHA1

        b8fa54b99bd4e2b1ea053dcb875b4e36e0fe21af

        SHA256

        4c9f013f5d7f280c77ad55367f03bb8547bf75adb9156700bb464bbad346a32f

        SHA512

        3e5fc2a50f4da949d523bdeb90982da6e136d912309e2507f2c2d77c6c2742caaeaa893954fcf03b44ea87898e9f937c1e82138d7257824213eb8f12e8ebc44e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.EXE

        Filesize

        384KB

        MD5

        c3723be6af33ad517e39fa597ce71fac

        SHA1

        561c9a87697dd868c496068012f40d7212eb8a21

        SHA256

        9f9567f0db994890bb45ab99dff19b0b378b164636417eda6239168a19459335

        SHA512

        6dbd71d0a12ab79b317a5e7460df1c8c5af54587b272c4a7a1680447826d443c1abf53bd0b4931a40df032de1f5408a236c2dbda8c11cc14350fab61c7e1e255

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.EXE

        Filesize

        735KB

        MD5

        5f1c201abad80f62e146ef0831fbc383

        SHA1

        d7572f3e3dfd527c1566aa4014da6e8edccf4761

        SHA256

        0c267746c139f103c25f03596b86bc53d2e40242bb1e087d584c5b389215f70d

        SHA512

        c9d72c4affb34ee429078859f0feff41aab98c2c19ddb57e7847f8013ded6346a8e6b24d6863c6586fac9ceec757ac700782c99ce9471edea68a13f9b80500f4

      • memory/2604-30-0x0000000000400000-0x00000000004BF000-memory.dmp

        Filesize

        764KB

      • memory/3300-26-0x0000000000AA0000-0x0000000000B5F000-memory.dmp

        Filesize

        764KB

      • memory/3592-29-0x0000000000400000-0x00000000004BF000-memory.dmp

        Filesize

        764KB

      • memory/3916-24-0x0000000000400000-0x00000000004BF000-memory.dmp

        Filesize

        764KB

      • memory/4224-5-0x0000000001000000-0x00000000010C4000-memory.dmp

        Filesize

        784KB

      • memory/4224-8-0x0000000001000000-0x00000000010C4000-memory.dmp

        Filesize

        784KB

      • memory/4224-4-0x0000000001000000-0x00000000010C4000-memory.dmp

        Filesize

        784KB

      • memory/4224-3-0x0000000001000000-0x00000000010C4000-memory.dmp

        Filesize

        784KB

      • memory/4224-0-0x0000000001000000-0x00000000010C4000-memory.dmp

        Filesize

        784KB

      • memory/4224-32-0x0000000001000000-0x00000000010C4000-memory.dmp

        Filesize

        784KB

      • memory/4224-2-0x0000000001000000-0x00000000010C4000-memory.dmp

        Filesize

        784KB

      • memory/4224-1-0x000000000106C000-0x000000000106D000-memory.dmp

        Filesize

        4KB