Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
-
Size
294KB
-
MD5
d74f54b77e0c4fed6b92e5c05a25894b
-
SHA1
c1fe5e83e96b66a99283635a8680dc166848a74b
-
SHA256
f1d856023c3980c83cc8e15bcb962db208ca8d7112c58b5e6df6279a36073a09
-
SHA512
50172b652c7e5f5b851dbbc4ef4c9ca42770303d7e65575d35463ad7e80a1621def0e26e75977f7b460b4a79734e48d6f91b23ad3a1fe0ec6fa2b8417e562dc6
-
SSDEEP
6144:vVrhP9RbTRXkqaSFJoFJX+TWgUW4iRLA3zm+2tfvCuZwo/Zk/6hFBR47396xrZk:LP/bT5kqa8MJOWCAYvThkR3oxrO
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 5 IoCs
resource yara_rule behavioral2/files/0x000a000000023b92-8.dat modiloader_stage2 behavioral2/memory/4148-15-0x0000000000400000-0x000000000046B000-memory.dmp modiloader_stage2 behavioral2/memory/4148-19-0x0000000000400000-0x000000000046B000-memory.dmp modiloader_stage2 behavioral2/memory/4148-26-0x0000000000400000-0x000000000046B000-memory.dmp modiloader_stage2 behavioral2/memory/4148-27-0x0000000000400000-0x000000000046B000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4148 âûàûâ.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys âûàûâ.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc âûàûâ.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power âûàûâ.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys âûàûâ.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc âûàûâ.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager âûàûâ.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\âûàûâ.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\âûàûâ.exe" âûàûâ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language âûàûâ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1524 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe 4148 âûàûâ.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3980 explorer.exe Token: SeCreatePagefilePrivilege 3980 explorer.exe Token: SeShutdownPrivilege 3980 explorer.exe Token: SeCreatePagefilePrivilege 3980 explorer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4344 wrote to memory of 324 4344 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 86 PID 4344 wrote to memory of 324 4344 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 86 PID 4344 wrote to memory of 324 4344 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 86 PID 4344 wrote to memory of 4148 4344 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 88 PID 4344 wrote to memory of 4148 4344 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 88 PID 4344 wrote to memory of 4148 4344 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 88 PID 324 wrote to memory of 1524 324 cmd.exe 89 PID 324 wrote to memory of 1524 324 cmd.exe 89 PID 324 wrote to memory of 1524 324 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Build.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\reg.exeReg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.*3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1524
-
-
-
C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe"C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe"2⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4148
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
PID:3980
Network
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request65.139.73.23.in-addr.arpaIN PTRResponse65.139.73.23.in-addr.arpaIN PTRa23-73-139-65deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request20.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
65.139.73.23.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
20.49.80.91.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53f5b9f2b34b14f22b7775c2c0a91f1a2
SHA10297877c09e7761df5a5980bcaf1b0b0262709da
SHA256cf63ce623bddd27c7b62a49aa40cd5a231fbdbde94405a8a10c13eb6a8b49ba8
SHA5128e68daf530086151c0146d74da292d26ea15c67adfed763209ebb984c8b622008f721fe3e2d5ae8b1b599d57976319ee6f653589f50e0f97620b1baefeda69b1
-
Filesize
401KB
MD54bc37f0a2f0920dbca852fedaf8eea47
SHA1b65c15ea93416ddc135ec808e1b57bd1dd800459
SHA2560cc0ff43a156227bdfba1d777cd8738021607c3ed8a330548c37ad26d63afa03
SHA512b5ed2976bb6433fd1617dd8271871543e588c9562a341289d18eea010b1c285d1a4dcb303027ea0689ec7e1a8d5be9c85cd21b8ed764fe9040bf537582e9abcd