Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 03:09
Static task
static1
Behavioral task
behavioral1
Sample
f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe
-
Size
748KB
-
MD5
f202bf634484e0cb9c3b9f92170e4a9c
-
SHA1
a3369e0d10839cd0709f8f86ebacc24574a85dcb
-
SHA256
2df20f4c1df335e0d97e92a6c2b5e9d5f927ec55fc2c31490f7f025d0ebb2936
-
SHA512
105e560172f0a6e7b9219d21ae879137f8a244fcaf6340e5adba1f9f2bda94893e0e15a5cbb5c51125e81e62d346a56a98ee5765201c90ee2022f5036e3ae98a
-
SSDEEP
12288:a4uS9dPsdgcpSoFv9gH9/sCaKSc9D1gtje5UkxX4PROZ32h1Jkk7w3y909:aPE2SYvWHxHf59xgtje5resGjJD7w3yW
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2300-28-0x0000000000400000-0x0000000000475000-memory.dmp modiloader_stage2 behavioral1/memory/2300-39-0x0000000000400000-0x0000000000475000-memory.dmp modiloader_stage2 behavioral1/memory/2856-70-0x0000000000400000-0x0000000000475000-memory.dmp modiloader_stage2 -
Executes dropped EXE 4 IoCs
pid Process 2300 DRIVER~3.EXE 2676 3d driving shool.exe 2856 DRIVER~3.EXE 2668 3d driving shool.exe -
Loads dropped DLL 16 IoCs
pid Process 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 2300 DRIVER~3.EXE 2300 DRIVER~3.EXE 2300 DRIVER~3.EXE 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 2676 3d driving shool.exe 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 2856 DRIVER~3.EXE 2856 DRIVER~3.EXE 2856 DRIVER~3.EXE 2668 3d driving shool.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2596 2668 WerFault.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d driving shool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DRIVER~3.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d driving shool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DRIVER~3.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2300 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 31 PID 2464 wrote to memory of 2300 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 31 PID 2464 wrote to memory of 2300 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 31 PID 2464 wrote to memory of 2300 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 31 PID 2464 wrote to memory of 2300 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 31 PID 2464 wrote to memory of 2300 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 31 PID 2464 wrote to memory of 2300 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 31 PID 2300 wrote to memory of 2676 2300 DRIVER~3.EXE 32 PID 2300 wrote to memory of 2676 2300 DRIVER~3.EXE 32 PID 2300 wrote to memory of 2676 2300 DRIVER~3.EXE 32 PID 2300 wrote to memory of 2676 2300 DRIVER~3.EXE 32 PID 2300 wrote to memory of 2676 2300 DRIVER~3.EXE 32 PID 2300 wrote to memory of 2676 2300 DRIVER~3.EXE 32 PID 2300 wrote to memory of 2676 2300 DRIVER~3.EXE 32 PID 2464 wrote to memory of 2856 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 33 PID 2464 wrote to memory of 2856 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 33 PID 2464 wrote to memory of 2856 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 33 PID 2464 wrote to memory of 2856 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 33 PID 2464 wrote to memory of 2856 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 33 PID 2464 wrote to memory of 2856 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 33 PID 2464 wrote to memory of 2856 2464 f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe 33 PID 2856 wrote to memory of 2668 2856 DRIVER~3.EXE 34 PID 2856 wrote to memory of 2668 2856 DRIVER~3.EXE 34 PID 2856 wrote to memory of 2668 2856 DRIVER~3.EXE 34 PID 2856 wrote to memory of 2668 2856 DRIVER~3.EXE 34 PID 2856 wrote to memory of 2668 2856 DRIVER~3.EXE 34 PID 2856 wrote to memory of 2668 2856 DRIVER~3.EXE 34 PID 2856 wrote to memory of 2668 2856 DRIVER~3.EXE 34 PID 2668 wrote to memory of 2596 2668 3d driving shool.exe 35 PID 2668 wrote to memory of 2596 2668 3d driving shool.exe 35 PID 2668 wrote to memory of 2596 2668 3d driving shool.exe 35 PID 2668 wrote to memory of 2596 2668 3d driving shool.exe 35 PID 2668 wrote to memory of 2596 2668 3d driving shool.exe 35 PID 2668 wrote to memory of 2596 2668 3d driving shool.exe 35 PID 2668 wrote to memory of 2596 2668 3d driving shool.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~3.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~3.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\3d driving shool.exe"C:\Users\Admin\AppData\Local\Temp\3d driving shool.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~3.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~3.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\3d driving shool.exe"C:\Users\Admin\AppData\Local\Temp\3d driving shool.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 2644⤵
- Loads dropped DLL
- Program crash
PID:2596
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD596cc1a315df012c6777592fe4239d09f
SHA10f5c0abb7845536b2a158175241aa72948c0d240
SHA256bd29e7854b96dec1976ba4024da83894b1c596df9d759ca6920669d912ba50be
SHA5124ee44a2ee62de0d77bfb63b3ff2e2c06a5677793336025ffa0d62337cb67bd5cb54e9a1bd50d411a01af19f5ec170f36233417f010933657ca362f1cab749bbd
-
Filesize
2KB
MD5e7b324bae65e182a48e93e0eea0e3d6e
SHA134da6f967d438436b76553b11500c2c9745a7c97
SHA2564d92c4e5648618e323d927c33b084010f2bf409ae0648aebc0f8c419836f0be8
SHA51290fc9ad1410865f02ebb5ba49d2fecee7d82fba0a5a4f90cec657507e57d491672bac07488e02e79b8400ac7300fb5c0fd1a3db671a2f9de50dc07eaaac4abc6
-
Filesize
344KB
MD56b1c9bfd99322686785ed3497ae2cddf
SHA1d241fc5587906e9e39b120421a279dc3c4a0eaf7
SHA25622b6389450c35087d9f97859d92fa5e295e12d839ef53968926c87b87e83bf3e
SHA51294e848c13945b546c9d69c5e9fe974ec4786c137696f09c92d7abed41e18056e004437ebee0d535252601f28a2694aa3f6abf9f60fdea8209a0cc6e0c290b5e1
-
Filesize
439KB
MD52956f9061ab953f5c93ce971105dbb07
SHA10bf3a109296e1a237c7afa0d0ec1c4317cc59fc9
SHA25615d45098faccc785facaa2381a4f8bf489e46bcc6661850722bd318d872645af
SHA512fb5e2ed1a6a9e2e80869979f4c8054a713c52f3d65814ea17a37eb7c7e33beea690c04a7fe45c10060483748fc9b3976da5fdf6d1ba818b29470551bb785d25d