Analysis
-
max time kernel
136s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 14:11
Static task
static1
Behavioral task
behavioral1
Sample
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe
-
Size
723KB
-
MD5
833e25233992bb9556c609abdcadd11a
-
SHA1
3e80b309e2b3405906b4a1bf19d026ba3399e5ab
-
SHA256
a5e4209934ad961d7ba16168366b73ff156cb47fde69647dbd3ae74b315428fa
-
SHA512
5f2da24ff3122337af58ecacc6bb427778b8fa072569a4aebb553d0ab3a6dde31a1d92cd42c6de44dd786afc260a398662cd0684d92428477fa52f24909bbced
-
SSDEEP
12288:MmiUu4i7Qgq0TRo48OY+ahueMKzlZF3Z4mxxMDqVTVOCu:qUuDlq0TeT2aHZQmXrVTzu
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule behavioral2/files/0x0008000000023c9c-16.dat modiloader_stage2 behavioral2/memory/3916-24-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral2/memory/3300-26-0x0000000000AA0000-0x0000000000B5F000-memory.dmp modiloader_stage2 behavioral2/memory/3592-29-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral2/memory/2604-30-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
Processes:
2.EXE1.EXEServer46.exepid Process 2572 2.EXE 2604 1.EXE 3592 Server46.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe2.EXEdescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" 2.EXE -
Drops file in System32 directory 2 IoCs
Processes:
Server46.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\_Server46.exe Server46.exe File created C:\Windows\SysWOW64\_Server46.exe Server46.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Server46.exedescription pid Process procid_target PID 3592 set thread context of 3916 3592 Server46.exe 90 PID 3592 set thread context of 3300 3592 Server46.exe 91 -
Drops file in Program Files directory 3 IoCs
Processes:
1.EXEdescription ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server46.exe 1.EXE File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server46.exe 1.EXE File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat 1.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 708 3916 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe2.EXE1.EXEServer46.exeIEXPLORE.EXEcmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Processes:
IEXPLORE.EXEIEXPLORE.EXEdescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437148969" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "425704643" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "431173199" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140767" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "425704643" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140767" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140767" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{44E31B42-9792-11EF-BEF1-468C69F2ED48} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IEXPLORE.EXEpid Process 3300 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
IEXPLORE.EXEIEXPLORE.EXEpid Process 3300 IEXPLORE.EXE 3300 IEXPLORE.EXE 4996 IEXPLORE.EXE 4996 IEXPLORE.EXE 4996 IEXPLORE.EXE 4996 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe2.EXE1.EXEServer46.exeIEXPLORE.EXEdescription pid Process procid_target PID 4224 wrote to memory of 2572 4224 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe 84 PID 4224 wrote to memory of 2572 4224 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe 84 PID 4224 wrote to memory of 2572 4224 833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe 84 PID 2572 wrote to memory of 2604 2572 2.EXE 85 PID 2572 wrote to memory of 2604 2572 2.EXE 85 PID 2572 wrote to memory of 2604 2572 2.EXE 85 PID 2604 wrote to memory of 3592 2604 1.EXE 89 PID 2604 wrote to memory of 3592 2604 1.EXE 89 PID 2604 wrote to memory of 3592 2604 1.EXE 89 PID 3592 wrote to memory of 3916 3592 Server46.exe 90 PID 3592 wrote to memory of 3916 3592 Server46.exe 90 PID 3592 wrote to memory of 3916 3592 Server46.exe 90 PID 3592 wrote to memory of 3916 3592 Server46.exe 90 PID 3592 wrote to memory of 3916 3592 Server46.exe 90 PID 3592 wrote to memory of 3300 3592 Server46.exe 91 PID 3592 wrote to memory of 3300 3592 Server46.exe 91 PID 3592 wrote to memory of 3300 3592 Server46.exe 91 PID 2604 wrote to memory of 432 2604 1.EXE 93 PID 2604 wrote to memory of 432 2604 1.EXE 93 PID 2604 wrote to memory of 432 2604 1.EXE 93 PID 3300 wrote to memory of 4996 3300 IEXPLORE.EXE 97 PID 3300 wrote to memory of 4996 3300 IEXPLORE.EXE 97 PID 3300 wrote to memory of 4996 3300 IEXPLORE.EXE 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\833e25233992bb9556c609abdcadd11a_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.EXE3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server46.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server46.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"5⤵PID:3916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 126⤵
- Program crash
PID:708
-
-
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3300 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4996
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""4⤵
- System Location Discovery: System Language Discovery
PID:432
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3916 -ip 39161⤵PID:1620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5b309e9e57716fc723c7af6a5540ce26b
SHA1b8fa54b99bd4e2b1ea053dcb875b4e36e0fe21af
SHA2564c9f013f5d7f280c77ad55367f03bb8547bf75adb9156700bb464bbad346a32f
SHA5123e5fc2a50f4da949d523bdeb90982da6e136d912309e2507f2c2d77c6c2742caaeaa893954fcf03b44ea87898e9f937c1e82138d7257824213eb8f12e8ebc44e
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
384KB
MD5c3723be6af33ad517e39fa597ce71fac
SHA1561c9a87697dd868c496068012f40d7212eb8a21
SHA2569f9567f0db994890bb45ab99dff19b0b378b164636417eda6239168a19459335
SHA5126dbd71d0a12ab79b317a5e7460df1c8c5af54587b272c4a7a1680447826d443c1abf53bd0b4931a40df032de1f5408a236c2dbda8c11cc14350fab61c7e1e255
-
Filesize
735KB
MD55f1c201abad80f62e146ef0831fbc383
SHA1d7572f3e3dfd527c1566aa4014da6e8edccf4761
SHA2560c267746c139f103c25f03596b86bc53d2e40242bb1e087d584c5b389215f70d
SHA512c9d72c4affb34ee429078859f0feff41aab98c2c19ddb57e7847f8013ded6346a8e6b24d6863c6586fac9ceec757ac700782c99ce9471edea68a13f9b80500f4