Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 00:57
Behavioral task
behavioral1
Sample
83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe
-
Size
428KB
-
MD5
83cd9070f4c652223341b2e143609fd0
-
SHA1
44f107d7f61722c7a21a9096afc46fad9e8b1195
-
SHA256
db74d0127ae1b24d4b15ca9ded00c77a404ccb5e34ee960b55af6aa4262f72c8
-
SHA512
56557003c700a53e8b91dbda30583e0beb091d5c977631ffaadbf22209d8e967a1139f5385ea7dee39b3d40e7c90fbd66cf58a1103cc9b5db7bbc931037b50aa
-
SSDEEP
12288:s6Wq4aaE6KwyF5L0Y2D1PqLa+tbh5H9fYb:qthEVaPqLawh5H9Yb
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3432-14-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3432-15-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3432-28-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/1392-47-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/1392-44-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/1392-43-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/1392-48-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
AdobeART.exeAdobeART.exepid Process 2028 AdobeART.exe 1392 AdobeART.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exeAdobeART.exeAdobeART.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe" 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeART.exe = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe" AdobeART.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe" AdobeART.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/412-13-0x0000000000400000-0x00000000004F4000-memory.dmp autoit_exe behavioral2/memory/2028-46-0x0000000000400000-0x00000000004F4000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exeAdobeART.exedescription pid Process procid_target PID 412 set thread context of 3432 412 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe 84 PID 2028 set thread context of 1392 2028 AdobeART.exe 87 -
Processes:
resource yara_rule behavioral2/memory/412-0-0x0000000000400000-0x00000000004F4000-memory.dmp upx behavioral2/memory/3432-9-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3432-11-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/412-13-0x0000000000400000-0x00000000004F4000-memory.dmp upx behavioral2/memory/3432-14-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3432-15-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/files/0x000e000000023c1f-20.dat upx behavioral2/memory/3432-28-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/2028-46-0x0000000000400000-0x00000000004F4000-memory.dmp upx behavioral2/memory/1392-47-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1392-44-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1392-42-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1392-43-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1392-48-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AdobeART.exe83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exeAdobeART.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeART.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeART.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exeAdobeART.exedescription pid Process procid_target PID 412 wrote to memory of 3432 412 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe 84 PID 412 wrote to memory of 3432 412 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe 84 PID 412 wrote to memory of 3432 412 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe 84 PID 412 wrote to memory of 3432 412 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe 84 PID 412 wrote to memory of 3432 412 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe 84 PID 3432 wrote to memory of 2028 3432 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe 86 PID 3432 wrote to memory of 2028 3432 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe 86 PID 3432 wrote to memory of 2028 3432 83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe 86 PID 2028 wrote to memory of 1392 2028 AdobeART.exe 87 PID 2028 wrote to memory of 1392 2028 AdobeART.exe 87 PID 2028 wrote to memory of 1392 2028 AdobeART.exe 87 PID 2028 wrote to memory of 1392 2028 AdobeART.exe 87 PID 2028 wrote to memory of 1392 2028 AdobeART.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\83cd9070f4c652223341b2e143609fd0_JaffaCakes118.exe2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Users\Admin\AppData\Roaming\AdobeART.exe"C:\Users\Admin\AppData\Roaming\AdobeART.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Roaming\AdobeART.exeC:\Users\Admin\AppData\Roaming\AdobeART.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1392
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5bbb6f2575e3332947197b87d3be7c4d5
SHA1967b49b00387b71eb072bf3d2bc7c3c7c4ce6eb1
SHA256610b85bbba370e220b2c35f7f2fce62ea55df5493fe6dd788274ad5b20a46269
SHA5129f227ffa5fb450c54695a99c4ec6487b0926932a9c89c5e8bc3b4dde9b7e0f8e8bcc56aabcdf2251799668d96a065194e8a78ad36685bc5ad2b2223be856c9ac
-
Filesize
428KB
MD583cd9070f4c652223341b2e143609fd0
SHA144f107d7f61722c7a21a9096afc46fad9e8b1195
SHA256db74d0127ae1b24d4b15ca9ded00c77a404ccb5e34ee960b55af6aa4262f72c8
SHA51256557003c700a53e8b91dbda30583e0beb091d5c977631ffaadbf22209d8e967a1139f5385ea7dee39b3d40e7c90fbd66cf58a1103cc9b5db7bbc931037b50aa