Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25/11/2024, 06:38
General
-
Target
99d288140e04a53da62f6751f1142322_JaffaCakes118.exe
-
Size
544KB
-
MD5
99d288140e04a53da62f6751f1142322
-
SHA1
85ed195a89333ae9a75a03b55ec4a5fc0b92a8fe
-
SHA256
0a220ee9d594c9de4973ed2dc5183cce41b565387f16ab5295801e286314ee31
-
SHA512
35b8aa6813d70c809ec7a0072b8754f6e213e49b533b768404df147fba077b54d6a5c6d6e2f3fc38e67660e170a6e827a6cc326f6b92c93a5de791ebe1357c38
-
SSDEEP
12288:fGeQClYrDqt6bbDlVmE90kmmiQSQbJB/UPi4KaRAqxh:fDQCGrDqt6b7meDibQNBMLJjh
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\99d288140e04a53da62f6751f1142322_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\99d288140e04a53da62f6751f1142322_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\krutsy32.exe"C:\Windows\krutsy32.exe"2⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ldapi32.exeC:\Windows\system32\ldapi32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD51093917aed9fc8213a0a71fb9062fd14
SHA1ced9c73a3fcb6b2784ff36d56be91887900e7248
SHA25640697f22c7abab737137263246f2af010a4d6b0676471bfa199ec022b548b5c1
SHA51228b34bcc47525fea9ffbf128ca34ff9d1fa52931404987d5be62826220a32ef75e1fa54ea135a511d803f14bfc76cf057a4bed847b099b7b9a4b0fc6808a0467
-
Filesize
12KB
MD58dc496e74a083351a898c960ca4ad767
SHA1f2f54b028f9fc5815868b315452e9ac1fa91576d
SHA256f23108544e06a177ae964ccfdde103b5a5ea340462eab85271a69d3c6c313524
SHA5124ab073c113a1036c7d4ec578db2190f0c397bfe9ec0fd12e54621b9c848aec7ec3f96f694aa19b44bd577e17e265710f163b7ff37c45d0c14939f813d7c77831
-
Filesize
567KB
MD541109d6b0001ad636b220f2947404a90
SHA1a1c9cd22c8a08b7a45bdb06133084309dbe1a88d
SHA2569d8e296b7d110e077fa21db918f6246955076ae68fe723e5aad2e9ca0822b334
SHA51221016c08338c654c36e44867b812b9b1d98ef693051b4ffc2e8fde5403b2c93f8c06394b1e23d48f5f3c3bb5509fc853e5969ab5615c903afd5b5d1b6f675c13
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
5.2MB
-
Filesize
4KB
-
Filesize
5.2MB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
48KB