Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 13:37

General

  • Target

    d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe

  • Size

    294KB

  • MD5

    d74f54b77e0c4fed6b92e5c05a25894b

  • SHA1

    c1fe5e83e96b66a99283635a8680dc166848a74b

  • SHA256

    f1d856023c3980c83cc8e15bcb962db208ca8d7112c58b5e6df6279a36073a09

  • SHA512

    50172b652c7e5f5b851dbbc4ef4c9ca42770303d7e65575d35463ad7e80a1621def0e26e75977f7b460b4a79734e48d6f91b23ad3a1fe0ec6fa2b8417e562dc6

  • SSDEEP

    6144:vVrhP9RbTRXkqaSFJoFJX+TWgUW4iRLA3zm+2tfvCuZwo/Zk/6hFBR47396xrZk:LP/bT5kqa8MJOWCAYvThkR3oxrO

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 5 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4344
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Build.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:324
      • C:\Windows\SysWOW64\reg.exe
        Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.*
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1524
    • C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe
      "C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe"
      2⤵
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4148
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Suspicious use of AdjustPrivilegeToken
    PID:3980

Network

  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    65.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    65.139.73.23.in-addr.arpa
    IN PTR
    Response
    65.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-65deploystaticakamaitechnologiescom
  • flag-us
    DNS
    20.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    65.139.73.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    65.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    20.49.80.91.in-addr.arpa
    dns
    70 B
    145 B
    1
    1

    DNS Request

    20.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Build.bat

    Filesize

    1KB

    MD5

    3f5b9f2b34b14f22b7775c2c0a91f1a2

    SHA1

    0297877c09e7761df5a5980bcaf1b0b0262709da

    SHA256

    cf63ce623bddd27c7b62a49aa40cd5a231fbdbde94405a8a10c13eb6a8b49ba8

    SHA512

    8e68daf530086151c0146d74da292d26ea15c67adfed763209ebb984c8b622008f721fe3e2d5ae8b1b599d57976319ee6f653589f50e0f97620b1baefeda69b1

  • C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe

    Filesize

    401KB

    MD5

    4bc37f0a2f0920dbca852fedaf8eea47

    SHA1

    b65c15ea93416ddc135ec808e1b57bd1dd800459

    SHA256

    0cc0ff43a156227bdfba1d777cd8738021607c3ed8a330548c37ad26d63afa03

    SHA512

    b5ed2976bb6433fd1617dd8271871543e588c9562a341289d18eea010b1c285d1a4dcb303027ea0689ec7e1a8d5be9c85cd21b8ed764fe9040bf537582e9abcd

  • memory/4148-13-0x0000000000640000-0x0000000000641000-memory.dmp

    Filesize

    4KB

  • memory/4148-15-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/4148-16-0x0000000000640000-0x0000000000641000-memory.dmp

    Filesize

    4KB

  • memory/4148-19-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/4148-26-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

  • memory/4148-27-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.