Analysis
-
max time kernel
141s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
18-12-2024 16:10
General
-
Target
fc3bfe248591925ccdadd17307a476eb_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
fc3bfe248591925ccdadd17307a476eb
-
SHA1
2f0ad1fe100affd79d9b52f8eb97905177da56ba
-
SHA256
b10f457d04d2c040a1d69cde46ef8f6135ee3e996dbbd8568dc9c22b3afba450
-
SHA512
cf2dacb84decf2ddda20a0e40e294ee302b789ea6ce21b9fa64d5fe57f7ac51c071f26142533cb42c2a9e0d5687cf7548e6d848d7e6b863ea623e8fb7bc5f79e
-
SSDEEP
49152:/H67ec//////RTaARjzI0nSNrN3yOGlp2NIqDxs6TdMv3Plg0jI2SmS:/H67ec//////Q8jPSZN3yOYpeIqtdMv0
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
ModiLoader Second Stage 4 IoCs
-
Executes dropped EXE 2 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc3bfe248591925ccdadd17307a476eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc3bfe248591925ccdadd17307a476eb_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\WINDOWS\system32Gar2Ide.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\system32Gar2Ide.exeC:\WINDOWS\system32Gar2Ide.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WINDOWS\_xr.bat" "4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\WINDOWS\system325-Cha Public Client_0308.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\system325-Cha Public Client_0308.exe"C:\WINDOWS\system325-Cha Public Client_0308.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
Filesize
8KB
MD53f57b781cb3ef114dd0b665151571b7b
SHA1ce6a63f996df3a1cccb81720e21204b825e0238c
SHA25646e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA5128cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa
-
Filesize
1.5MB
MD512355a49fba3ed5419cc30e41258229f
SHA1f9762c54718ceeef79a3672be7aa2c833eeb1602
SHA2569da22a52c9bad67427b67b676dc7c111df19661f3d4513b04457bdfe0859ae69
SHA512940bd1ed12480506444c1eb1f1e31808294aeb48e917b3ed1ab8cdf8bcaa0ddf0ba831c099ba1c40293dcf07b86ad321f5345ad0f57d08ae5623594e2cf19efc
-
Filesize
128KB
MD56e00045cd48ccf3ad4b0dfba22725eb3
SHA185cb2775da02c8484be111be98d627d378ba8f10
SHA256395d7cc2dc18e4d8c8b8760d98a1bbb2e9154bf6975c0a592655eaaa56342ac3
SHA51219b7e65043a08f4cc1e5d832d042e09e38085858a841f6430425113a3290d625037da8938dd5084644ba4039d855f292419536fb42afeb912df23407c3783dae
-
Filesize
104B
MD52f550a75d04816d23af8611ebcefeb30
SHA16542f5824ed6cae2b198aa11f0343ea69f00c43b
SHA256c9dd30e632453b73b75a2b5e217328f05e18be82556a2126322d64038d33d405
SHA5128322b20ee073f7b586260907a9308066cd8e0b74a7e21d3af635a44277f3f99df7766aa54d04a20fe89f4a2bc76f3e99232e55d6e11ae4fd2957e164b66e0dd9
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
4KB
-
Filesize
2.2MB
-
Filesize
440KB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
104KB
-
Filesize
440KB
-
Filesize
4KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
4KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB