Analysis
-
max time kernel
140s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 00:12
Behavioral task
behavioral1
Sample
cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe
-
Size
281KB
-
MD5
cfbb71cd4c20888128f25c49e9622422
-
SHA1
fbf81bea05ae08f6290547be85a42aa5d5418143
-
SHA256
0e2e772188ed3497c81992630798d2cbdc1fea446406fbe0e11204db26fdf0a3
-
SHA512
6827be9c8f037301f028b82496059ac2d6363f5c571dedcc289c693326e60641c5229401b2b26a8396faadd5babeb69fd53b7586487cee98cd27f53e7041204d
-
SSDEEP
6144:bw0ctxh7aL5+HpBQ9aEa8FCnDeh/448FYDcHfMep9kDXHKjpK:bwYh/444YDm4TqjpK
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/544-12-0x0000000000400000-0x000000000044D000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2968 sys.dll.exe 4400 sys.dll.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2968 set thread context of 4400 2968 sys.dll.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sys.dll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sys.dll.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2968 sys.dll.exe 4400 sys.dll.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 544 wrote to memory of 2968 544 cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe 83 PID 544 wrote to memory of 2968 544 cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe 83 PID 544 wrote to memory of 2968 544 cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe 83 PID 2968 wrote to memory of 4400 2968 sys.dll.exe 84 PID 2968 wrote to memory of 4400 2968 sys.dll.exe 84 PID 2968 wrote to memory of 4400 2968 sys.dll.exe 84 PID 2968 wrote to memory of 4400 2968 sys.dll.exe 84 PID 2968 wrote to memory of 4400 2968 sys.dll.exe 84 PID 2968 wrote to memory of 4400 2968 sys.dll.exe 84 PID 2968 wrote to memory of 4400 2968 sys.dll.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\sys.dll.exe"C:\Users\Admin\AppData\Local\Temp\sys.dll.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\sys.dll.exeC:\Users\Admin\AppData\Local\Temp\sys.dll.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4400
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5c6bc08de2aed3a4112471aeef5096117
SHA1d14051c9267df6e5d2b7f49d714fef05bfedbb2b
SHA256e864dedb2b3b35b4d802b385ebb3a57e3e270898eccea7ec76aab7e1440059c9
SHA5129fd5eddb012fee63548b17576d28d77556837bf9c51b8d981b4606aaef7942e85d72e4d28399e59e1b1204e23112eec8a304e8492955bab139936f8c11f0ca8f