Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2024, 06:38
Behavioral task
behavioral1
Sample
99d288140e04a53da62f6751f1142322_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
99d288140e04a53da62f6751f1142322_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
99d288140e04a53da62f6751f1142322_JaffaCakes118.exe
-
Size
544KB
-
MD5
99d288140e04a53da62f6751f1142322
-
SHA1
85ed195a89333ae9a75a03b55ec4a5fc0b92a8fe
-
SHA256
0a220ee9d594c9de4973ed2dc5183cce41b565387f16ab5295801e286314ee31
-
SHA512
35b8aa6813d70c809ec7a0072b8754f6e213e49b533b768404df147fba077b54d6a5c6d6e2f3fc38e67660e170a6e827a6cc326f6b92c93a5de791ebe1357c38
-
SSDEEP
12288:fGeQClYrDqt6bbDlVmE90kmmiQSQbJB/UPi4KaRAqxh:fDQCGrDqt6b7meDibQNBMLJjh
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral2/memory/1260-36-0x0000000000400000-0x0000000000584000-memory.dmp modiloader_stage2 behavioral2/memory/2464-50-0x0000000000400000-0x0000000000940000-memory.dmp modiloader_stage2 behavioral2/memory/2464-56-0x0000000000400000-0x0000000000940000-memory.dmp modiloader_stage2 behavioral2/memory/2464-79-0x0000000000400000-0x0000000000940000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 99d288140e04a53da62f6751f1142322_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2464 krutsy32.exe 5092 ldapi32.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc krutsy32.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager krutsy32.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys krutsy32.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc krutsy32.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power krutsy32.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys krutsy32.exe -
Loads dropped DLL 4 IoCs
pid Process 2464 krutsy32.exe 2464 krutsy32.exe 2464 krutsy32.exe 2464 krutsy32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krutsy32 = "C:\\Windows\\krutsy32.exe" 99d288140e04a53da62f6751f1142322_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\ntswrl32.dll krutsy32.exe File created C:\Windows\SysWOW64\ntcvx32.dll krutsy32.exe File created C:\Windows\SysWOW64\ldapi32.exe krutsy32.exe -
resource yara_rule behavioral2/memory/1260-0-0x0000000000400000-0x0000000000584000-memory.dmp upx behavioral2/files/0x000c000000023b3a-5.dat upx behavioral2/memory/1260-36-0x0000000000400000-0x0000000000584000-memory.dmp upx behavioral2/memory/2464-34-0x0000000000400000-0x0000000000940000-memory.dmp upx behavioral2/memory/2464-50-0x0000000000400000-0x0000000000940000-memory.dmp upx behavioral2/memory/2464-56-0x0000000000400000-0x0000000000940000-memory.dmp upx behavioral2/memory/2464-79-0x0000000000400000-0x0000000000940000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\krutsy32.exe 99d288140e04a53da62f6751f1142322_JaffaCakes118.exe File opened for modification C:\Windows\krutsy32.exe 99d288140e04a53da62f6751f1142322_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99d288140e04a53da62f6751f1142322_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language krutsy32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldapi32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 99d288140e04a53da62f6751f1142322_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5092 ldapi32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2464 krutsy32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1260 wrote to memory of 2464 1260 99d288140e04a53da62f6751f1142322_JaffaCakes118.exe 82 PID 1260 wrote to memory of 2464 1260 99d288140e04a53da62f6751f1142322_JaffaCakes118.exe 82 PID 1260 wrote to memory of 2464 1260 99d288140e04a53da62f6751f1142322_JaffaCakes118.exe 82 PID 2464 wrote to memory of 5092 2464 krutsy32.exe 83 PID 2464 wrote to memory of 5092 2464 krutsy32.exe 83 PID 2464 wrote to memory of 5092 2464 krutsy32.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\99d288140e04a53da62f6751f1142322_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\99d288140e04a53da62f6751f1142322_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\krutsy32.exe"C:\Windows\krutsy32.exe"2⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\ldapi32.exeC:\Windows\system32\ldapi32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD51093917aed9fc8213a0a71fb9062fd14
SHA1ced9c73a3fcb6b2784ff36d56be91887900e7248
SHA25640697f22c7abab737137263246f2af010a4d6b0676471bfa199ec022b548b5c1
SHA51228b34bcc47525fea9ffbf128ca34ff9d1fa52931404987d5be62826220a32ef75e1fa54ea135a511d803f14bfc76cf057a4bed847b099b7b9a4b0fc6808a0467
-
Filesize
12KB
MD58dc496e74a083351a898c960ca4ad767
SHA1f2f54b028f9fc5815868b315452e9ac1fa91576d
SHA256f23108544e06a177ae964ccfdde103b5a5ea340462eab85271a69d3c6c313524
SHA5124ab073c113a1036c7d4ec578db2190f0c397bfe9ec0fd12e54621b9c848aec7ec3f96f694aa19b44bd577e17e265710f163b7ff37c45d0c14939f813d7c77831
-
Filesize
567KB
MD541109d6b0001ad636b220f2947404a90
SHA1a1c9cd22c8a08b7a45bdb06133084309dbe1a88d
SHA2569d8e296b7d110e077fa21db918f6246955076ae68fe723e5aad2e9ca0822b334
SHA51221016c08338c654c36e44867b812b9b1d98ef693051b4ffc2e8fde5403b2c93f8c06394b1e23d48f5f3c3bb5509fc853e5969ab5615c903afd5b5d1b6f675c13