Analysis

  • max time kernel
    92s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 22:52

General

  • Target

    d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe

  • Size

    750KB

  • MD5

    d40480862f544ef81726411d1bdb81f4

  • SHA1

    c8b07741244a2bf9862c82fa4f3d9e42c5cea6b6

  • SHA256

    4cebb8f47d102f57151649966b7a8707f37dbab2a11c6508d55bf5d5bb68cb20

  • SHA512

    a15d5665b2156811cca5246cea98567ebf867b988ab6b2d02ed4f757d7a7317ebc4ce18125a0d6aac2e312d5c1889209f19a92fd762b9ce5b7d533cecc1b3d7b

  • SSDEEP

    12288:iR8u1CP68p5WfL7S+TlHXff3QaCY0gaY1hzLQxpULQZ+v0xnKJAkGeZlAYluLEMg:uvM68HoLW+TlHXff3QaCG7XqU6BnKJAI

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Windows\SysWOW64\3.exe
        "C:\Windows\system32\3.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4404
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4268
          • C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
            "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4100
            • C:\Windows\SysWOW64\calc.exe
              "C:\Windows\system32\calc.exe"
              6⤵
                PID:2432
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 12
                  7⤵
                  • Program crash
                  PID:4184
              • C:\program files\internet explorer\IEXPLORE.EXE
                "C:\program files\internet explorer\IEXPLORE.EXE"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4256
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4256 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3624
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1428
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2432 -ip 2432
      1⤵
        PID:904

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat

        Filesize

        144B

        MD5

        6e0accd9b56700b7850b002896bf5383

        SHA1

        c058ad423f42638e06171349e2d56931d03ab800

        SHA256

        533abe1be65c4ff52feab7cfd105cfffe64dd18c0554f9204a46a75a7978addf

        SHA512

        0f4f18356b1f303be7a823f7b64e57151a6135caab9f87fc1dd2b24a63631cdd827e137405c5f9dd5047a3a2eeeef1367d62d767740fb7657e2c47c16ff2240c

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        105f6ce728ed4fa85484532b32117013

        SHA1

        bbfa2d81d14f3f219e2078f3095859e99aea4777

        SHA256

        433ba5a67ded6420250783ffe77fa5848c97d4751af0ba05a3100620b6b16938

        SHA512

        baa229dce1e0daab64319d6212d566fd0269e11d46b04b3ea0b7f1d56ab56e88f5c76e76ae5d5b4712a48be802880abda4600cb0e0b5ad64d6f45c5f4abc8da2

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        7ae733520a0b1a44effee5add0d9c5bb

        SHA1

        e2ca3d98f29fbdaa4b484e4e3ff1da16bbbc0b89

        SHA256

        48d5f0ba8e15a3417c81d448fd85b1c133415ce0c27ffce3f4b033ce09232cee

        SHA512

        4ddeac5fce631b0e9ecd0720c83dc2353e92b7a366f4afdd0b6c2bda7d754ecfec27693bcc168e6fa18924a556e9c0d1784dc18ccf828c0db8aa2ab5101a013b

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

        Filesize

        702KB

        MD5

        9bcaaf6c65896d7b446386798a33dc17

        SHA1

        baa4f67ec22262768b166a6c413d3a48ae911fec

        SHA256

        53ca0b273d0f1111399f402494a802f7cf22c5fe64902014e593d2340a2085f0

        SHA512

        91d857b11039923620bde1f52b5f98d83a8c7e6da57ab850f0e53af380ee03aeffb6989e867f3ce7fa95e2d4ac3741ef32a996c3c2cc56310d64da754b9a38f9

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3.exe

        Filesize

        1.0MB

        MD5

        1c3d15ba1d152f568dd49d0b9fc34588

        SHA1

        f3a171fe18544328ef98efbcd367f2044330ec86

        SHA256

        e9162e886791805f72884a2bae9a100bd337d893a363973926544862ef67f1e0

        SHA512

        50f2e53fb5a233ec5af5364279ba7965abbcca7f78f98b1e17c6c60a60d5fd281cc0775f26fa821e327b10232b9c8152ffff9c7001cbc5e875d14630bedba9c5

      • C:\Windows\SysWOW64\3.exe

        Filesize

        616KB

        MD5

        0d2076b83fcd86a9d05833c5be1e433f

        SHA1

        077d5b0397cf44c5d04b7548d5b99d3368874ab4

        SHA256

        806c17b60d3c2d1d20e270b5732cfe6e072499e297ddbbab160d646f5832dbf1

        SHA512

        dd7a84a1c064922fb7777ab592544031e1bbdfbbea0e52fb0016fe21ef25909536e6e1a01993440bbd53dc108e88606678cce2b6984093dd469b71c5802b7e56

      • memory/2432-34-0x0000000000400000-0x000000000050B000-memory.dmp

        Filesize

        1.0MB

      • memory/3200-0-0x0000000001000000-0x000000000116F000-memory.dmp

        Filesize

        1.4MB

      • memory/3200-21-0x0000000001000000-0x000000000116F000-memory.dmp

        Filesize

        1.4MB

      • memory/4100-39-0x0000000000400000-0x000000000050A600-memory.dmp

        Filesize

        1.0MB

      • memory/4100-31-0x0000000000400000-0x000000000050A600-memory.dmp

        Filesize

        1.0MB

      • memory/4256-36-0x0000000000210000-0x000000000031B000-memory.dmp

        Filesize

        1.0MB

      • memory/4268-40-0x0000000000400000-0x000000000050A600-memory.dmp

        Filesize

        1.0MB

      • memory/4268-25-0x0000000000400000-0x000000000050A600-memory.dmp

        Filesize

        1.0MB

      • memory/4492-18-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB