Analysis
-
max time kernel
92s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 22:52
Static task
static1
Behavioral task
behavioral1
Sample
d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe
-
Size
750KB
-
MD5
d40480862f544ef81726411d1bdb81f4
-
SHA1
c8b07741244a2bf9862c82fa4f3d9e42c5cea6b6
-
SHA256
4cebb8f47d102f57151649966b7a8707f37dbab2a11c6508d55bf5d5bb68cb20
-
SHA512
a15d5665b2156811cca5246cea98567ebf867b988ab6b2d02ed4f757d7a7317ebc4ce18125a0d6aac2e312d5c1889209f19a92fd762b9ce5b7d533cecc1b3d7b
-
SSDEEP
12288:iR8u1CP68p5WfL7S+TlHXff3QaCY0gaY1hzLQxpULQZ+v0xnKJAkGeZlAYluLEMg:uvM68HoLW+TlHXff3QaCG7XqU6BnKJAI
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 7 IoCs
resource yara_rule behavioral2/files/0x0008000000023cb7-24.dat modiloader_stage2 behavioral2/memory/4268-25-0x0000000000400000-0x000000000050A600-memory.dmp modiloader_stage2 behavioral2/memory/4100-31-0x0000000000400000-0x000000000050A600-memory.dmp modiloader_stage2 behavioral2/memory/2432-34-0x0000000000400000-0x000000000050B000-memory.dmp modiloader_stage2 behavioral2/memory/4100-39-0x0000000000400000-0x000000000050A600-memory.dmp modiloader_stage2 behavioral2/memory/4256-36-0x0000000000210000-0x000000000031B000-memory.dmp modiloader_stage2 behavioral2/memory/4268-40-0x0000000000400000-0x000000000050A600-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 3.exe -
Executes dropped EXE 4 IoCs
pid Process 4492 3.exe 4404 3.exe 4268 3.exe 4100 rejoice101.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" 3.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240638281 3.exe File created C:\Windows\SysWOW64\3.exe 3.exe File opened for modification C:\Windows\SysWOW64\3.exe 3.exe File created C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe File opened for modification C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4100 set thread context of 2432 4100 rejoice101.exe 87 PID 4100 set thread context of 4256 4100 rejoice101.exe 89 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 3.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 3.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat 3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4184 2432 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rejoice101.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3499830829" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440376945" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FBE2F4A1-B4ED-11EF-BDBF-DEEFF298442C} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148282" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148282" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31148282" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3497174262" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3497174262" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4256 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4256 IEXPLORE.EXE 4256 IEXPLORE.EXE 3624 IEXPLORE.EXE 3624 IEXPLORE.EXE 3624 IEXPLORE.EXE 3624 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3200 wrote to memory of 4492 3200 d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe 83 PID 3200 wrote to memory of 4492 3200 d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe 83 PID 3200 wrote to memory of 4492 3200 d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe 83 PID 4492 wrote to memory of 4404 4492 3.exe 84 PID 4492 wrote to memory of 4404 4492 3.exe 84 PID 4492 wrote to memory of 4404 4492 3.exe 84 PID 4404 wrote to memory of 4268 4404 3.exe 85 PID 4404 wrote to memory of 4268 4404 3.exe 85 PID 4404 wrote to memory of 4268 4404 3.exe 85 PID 4268 wrote to memory of 4100 4268 3.exe 86 PID 4268 wrote to memory of 4100 4268 3.exe 86 PID 4268 wrote to memory of 4100 4268 3.exe 86 PID 4100 wrote to memory of 2432 4100 rejoice101.exe 87 PID 4100 wrote to memory of 2432 4100 rejoice101.exe 87 PID 4100 wrote to memory of 2432 4100 rejoice101.exe 87 PID 4100 wrote to memory of 2432 4100 rejoice101.exe 87 PID 4100 wrote to memory of 2432 4100 rejoice101.exe 87 PID 4100 wrote to memory of 4256 4100 rejoice101.exe 89 PID 4100 wrote to memory of 4256 4100 rejoice101.exe 89 PID 4100 wrote to memory of 4256 4100 rejoice101.exe 89 PID 4268 wrote to memory of 1428 4268 3.exe 90 PID 4268 wrote to memory of 1428 4268 3.exe 90 PID 4268 wrote to memory of 1428 4268 3.exe 90 PID 4256 wrote to memory of 3624 4256 IEXPLORE.EXE 94 PID 4256 wrote to memory of 3624 4256 IEXPLORE.EXE 94 PID 4256 wrote to memory of 3624 4256 IEXPLORE.EXE 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\3.exe"C:\Windows\system32\3.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"6⤵PID:2432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 127⤵
- Program crash
PID:4184
-
-
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4256 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3624
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""5⤵
- System Location Discovery: System Language Discovery
PID:1428
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2432 -ip 24321⤵PID:904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD56e0accd9b56700b7850b002896bf5383
SHA1c058ad423f42638e06171349e2d56931d03ab800
SHA256533abe1be65c4ff52feab7cfd105cfffe64dd18c0554f9204a46a75a7978addf
SHA5120f4f18356b1f303be7a823f7b64e57151a6135caab9f87fc1dd2b24a63631cdd827e137405c5f9dd5047a3a2eeeef1367d62d767740fb7657e2c47c16ff2240c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5105f6ce728ed4fa85484532b32117013
SHA1bbfa2d81d14f3f219e2078f3095859e99aea4777
SHA256433ba5a67ded6420250783ffe77fa5848c97d4751af0ba05a3100620b6b16938
SHA512baa229dce1e0daab64319d6212d566fd0269e11d46b04b3ea0b7f1d56ab56e88f5c76e76ae5d5b4712a48be802880abda4600cb0e0b5ad64d6f45c5f4abc8da2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD57ae733520a0b1a44effee5add0d9c5bb
SHA1e2ca3d98f29fbdaa4b484e4e3ff1da16bbbc0b89
SHA25648d5f0ba8e15a3417c81d448fd85b1c133415ce0c27ffce3f4b033ce09232cee
SHA5124ddeac5fce631b0e9ecd0720c83dc2353e92b7a366f4afdd0b6c2bda7d754ecfec27693bcc168e6fa18924a556e9c0d1784dc18ccf828c0db8aa2ab5101a013b
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
702KB
MD59bcaaf6c65896d7b446386798a33dc17
SHA1baa4f67ec22262768b166a6c413d3a48ae911fec
SHA25653ca0b273d0f1111399f402494a802f7cf22c5fe64902014e593d2340a2085f0
SHA51291d857b11039923620bde1f52b5f98d83a8c7e6da57ab850f0e53af380ee03aeffb6989e867f3ce7fa95e2d4ac3741ef32a996c3c2cc56310d64da754b9a38f9
-
Filesize
1.0MB
MD51c3d15ba1d152f568dd49d0b9fc34588
SHA1f3a171fe18544328ef98efbcd367f2044330ec86
SHA256e9162e886791805f72884a2bae9a100bd337d893a363973926544862ef67f1e0
SHA51250f2e53fb5a233ec5af5364279ba7965abbcca7f78f98b1e17c6c60a60d5fd281cc0775f26fa821e327b10232b9c8152ffff9c7001cbc5e875d14630bedba9c5
-
Filesize
616KB
MD50d2076b83fcd86a9d05833c5be1e433f
SHA1077d5b0397cf44c5d04b7548d5b99d3368874ab4
SHA256806c17b60d3c2d1d20e270b5732cfe6e072499e297ddbbab160d646f5832dbf1
SHA512dd7a84a1c064922fb7777ab592544031e1bbdfbbea0e52fb0016fe21ef25909536e6e1a01993440bbd53dc108e88606678cce2b6984093dd469b71c5802b7e56