Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 03:17
Static task
static1
Behavioral task
behavioral1
Sample
924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe
-
Size
868KB
-
MD5
924059ccbaea0e43561f2761bd035825
-
SHA1
57297e61762c5a144639f34fe3691fb316b49a57
-
SHA256
ce7e208280dbc88185d60d80f4bcc5c04e33086e5e3dcf8337445ddb90b9ffc3
-
SHA512
ad5c579a7e66ff9069b1e286f03dca50156f34907791a1947a46d885508991466c1c1b95a17559f427c408b668052ca63493b937159f5487c7eeea83bcd6287e
-
SSDEEP
12288:/byBPqujZRt6Iqw3mkWrVkHKJ3ED9uakrckc6GDiuKVg3Y6D/nJEh6:WBiuj8IerVkHK3ED9uakrckfG/nOh6
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2380-21-0x0000000000400000-0x0000000000625CC4-memory.dmp modiloader_stage2 -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
924059ccbaea0e43561f2761bd035825_JaffaCakes118.exedescription ioc Process File opened (read-only) \??\L: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\M: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\N: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\P: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\Q: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\A: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\B: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\E: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\I: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\T: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\U: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\V: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\W: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\Z: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\H: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\R: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\S: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\G: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\J: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\K: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\O: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\X: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened (read-only) \??\Y: 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
924059ccbaea0e43561f2761bd035825_JaffaCakes118.exedescription ioc Process File opened for modification C:\AutoRun.inf 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe File opened for modification F:\AutoRun.inf 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
Processes:
924059ccbaea0e43561f2761bd035825_JaffaCakes118.exedescription ioc Process File created C:\Program Files\paramstr.txt 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
924059ccbaea0e43561f2761bd035825_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\924059ccbaea0e43561f2761bd035825_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD57883b1af9ea9216c4f9846b2cc8e1250
SHA1d2e4b33106b59200948afb39b65adb8a08c9fa7f
SHA2560bb5f1e59695a0c76d5471ec9b0427c9316cf9df9273eda8f33d3b2f6827af26
SHA512f36492d4645e287dfb488d30e13f85119944444032d1361ae4d33ebc0db75c7fe74c32935518f5fd243c1d7f4791128e7ddc98affc686bf82140bfd9d0342b6d