Analysis
-
max time kernel
141s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 17:05 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe
-
Size
693KB
-
MD5
5cff2e754fda9807c74fca18a849e643
-
SHA1
68b72c6e95075d14d6e18921595f1302c9aa884c
-
SHA256
a669e51e17ddde4aef6e6218bca0abb06f953e8d05a4ee1031ea5d52fb8c65fa
-
SHA512
1ff15b67344b0ebc75a8fa3569b74ae9fc4666e3605bd9f3be00f70f2fb75b7667cf461c8ef46251f700d3fcf5c04cf57537ab19de0e861c8fbb24e01638c388
-
SSDEEP
12288:8KlN8Co1ksS4oO6ePKBGwe5QxtDwx02YltukAWjh6iQvQPeCHwjFQTOfFhaQpSkf:8yo1ksS4BiAwe5W40pReCHPTOfF8Qpx
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2208-17-0x0000000000400000-0x00000000007C9000-memory.dmp modiloader_stage2 behavioral1/memory/2208-29-0x0000000000400000-0x00000000007C9000-memory.dmp modiloader_stage2 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2208 set thread context of 2552 2208 JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe 30 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1131291-D362-11EF-9F7F-EAF82BEC9AF0} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443122610" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2552 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2552 IEXPLORE.EXE 2552 IEXPLORE.EXE 2432 IEXPLORE.EXE 2432 IEXPLORE.EXE 2432 IEXPLORE.EXE 2432 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2552 2208 JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe 30 PID 2208 wrote to memory of 2552 2208 JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe 30 PID 2208 wrote to memory of 2552 2208 JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe 30 PID 2208 wrote to memory of 2552 2208 JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe 30 PID 2208 wrote to memory of 2552 2208 JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe 30 PID 2552 wrote to memory of 2432 2552 IEXPLORE.EXE 31 PID 2552 wrote to memory of 2432 2552 IEXPLORE.EXE 31 PID 2552 wrote to memory of 2432 2552 IEXPLORE.EXE 31 PID 2552 wrote to memory of 2432 2552 IEXPLORE.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cff2e754fda9807c74fca18a849e643.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2432
-
-
Network
-
Remote address:8.8.8.8:53Requestapi.bing.comIN AResponseapi.bing.comIN CNAMEapi-bing-com.e-0001.e-msedge.netapi-bing-com.e-0001.e-msedge.netIN CNAMEe-0001.e-msedge.nete-0001.e-msedge.netIN A13.107.5.80
-
1.4kB 8.1kB 16 15
-
1.6kB 8.2kB 16 16
-
1.6kB 7.8kB 13 12
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c4a7a54beca78b8f479f2b8dcfefc4dc
SHA112bb044c4119cda64b53e3c3de8a01c0debaf2d4
SHA2565f21c54a824a56b8565862aa3ced03170784ac40901590f5eb5ea2551d438cc2
SHA51293c8000f6e25aba4ae8bbddf87145eeda23ee322d05e2938258c94cb68250aa764e4ed6d200bdf2e0bc5cd51899c28c96a28209fb357972be149edd2414082f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5296b77fb0fa4893b2baa8737ee240e6e
SHA1eb2f8f3a2253f1e0e9b39ff01ba9d6b41c36fcd1
SHA25659812bccfbd23a566fa01f75250d5a3ead2d9700c844a48952290e7e864f2f36
SHA512387aa22db0b021d9824e5c184c1f116c4fdc328e0b40e0d052b7d9656ee5e576ba7d10620ac3ad7ab52fcffd36d8d2260e01241c6d6c13114683934b16418140
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52e9bbd4fe84a7bd462772305c5ede973
SHA14e83d93628837ff2cedec77e476e5b5513eaf695
SHA256d4391261abc3b542bf888790875fe98380d06cc9df51eb3bd58d36b2d8c27721
SHA512467eb8b30cd640ea1ea98ed3e605e926260afa7691e55681ad7c5a921e5f347094b5a4b071670c45dcc727e9e51d9ee2facb8fe54df491b550d69c384bdc902d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5db0350d9d9e64a2778db296f485d8e03
SHA1bf38544d89d1bd2c42be5b325b6bef76844ff3f2
SHA2562103e3761e4b3fb9c8676466539843f40465b0b94f1880809aafa5592fd38dfa
SHA5122d50030c56baa63d1c8a5346b1afa40e910ce06a1d6b75ff07fa169e03380f728ee957cff7e4040e5c11eb27eb62202d28a8c79d430074cb97b3c199f7df3d78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567186a71320e0e8d10b0029b4764a0ae
SHA11a9d128d7bc318fcf3d32859997a6669b81cd96d
SHA25648041936e6d9304877dc98ca2ea7783677c28f27197353e0ead9848e34854e5e
SHA512b7e455f952c82f4c8b65a0ded1c23f4f135c8cf14498a0b6a2a9369e54b2ea916e251f5ae62279f93a1f509be1cce869a661cca88675c0ac7ca3a19e49d98132
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d104fbc10ef8b526641fb7716516992c
SHA17d390fbf342b36fcf592dca3c78c83598cd6bc22
SHA256bb6ae02c4dc81b05e513e9450b554d7d947fdd511c59c108c86d1097c17dffbe
SHA51219c23919093fa374cadf80bb709179bd4284f09d9fbb481dfa593b30beb3ac194d6d44bb93bc6a35ff430627528f0717753658fd142d34e2a20fdf09eb05bff2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53e75804a7aa8a5521308f1eca035c1ef
SHA14ef9a97c54de67bce5a7b7f20386b8743c3f973c
SHA2569887c5de9319c147f98c9f4ba5ac413aafa5a9577c2683e813d039323cb5cd97
SHA5126518f40d93492a140d2b929b21f1cac233b7d713ac0bf9d076be60ca5de976cba1d2dbdfc88622764211417135245371dc9382fa3a1b0b1ce47994b3d5e8350a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f3795825564777195593c4903fc6bfcf
SHA15d34937fdd6b31ed8b9f15312920a2cd0ed4b5f6
SHA256b275769d106591409f41a205e3cdfa38ba7ebc449cd17f53b6a7b33e8e6f3dd4
SHA512667dc4fd4e19d43695eea170d292eebe26f59678d65309f1705ab3956bc8d3e4d625ddec1bd4d0ec8010f5d00a56101be21c1ec89e615b4624ec85bdeea99dc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59aafc82e0de3aa3d2799cc62322fbaf9
SHA17e32496386c6f6fc78d8d8fb157b8743762de6e8
SHA256904b4abfad06007285a65c94ea53127c4e3e725c9e54598d9045e4098d2180ed
SHA512006f49c5c818d369a9bfeda1e9e84732cc4622c608a66c5457f387d5f05fad80b1c6afe9693da2445c01cdb029e7f5c8837a3e61f5c649d50de540c748fd0671
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae9735e28adfdc906b3d981aecd5a5bc
SHA16e9f9bc20248826814546d1830fd35cf1aea5231
SHA2560acb2ba2d3bde9f8a4fea53a2182077195bd8c75a28b68094b5f58774debf052
SHA512b53aff11f06bc2e2d60bdf41497dfdce19cd93339801c15e12aeb7436e32dfa95fa3f326554b9dd9ce9bca2b8c97b36f246fe4bc4230f6e85fb44f4e663e18d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a9560b8940f7016d0ea7ee8d0aa02830
SHA119aaf3f9da426ab739232508216fe434446ccbce
SHA25668809c0d85bc529239267c03177db98fcc6e8b27708a2af0f9ce3ce31386a64d
SHA512fd818855f266fc7a42ce219d7e459068267454d1a16bc12da859719b5cfb7661443b54fce45cc49d86a455d0963efb795faded5c378ea5e2110df4674d6ba1b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59ae8a51c54c6c624c4a262970044e922
SHA1131bc902a4fc0215437996099256464e1e50e7dd
SHA256cf2f09268419ee6e6e384e1b1cf645fa8302703b500af998de59e071db7356f6
SHA512c56b61dd1ed1920cef751de39d1d1fb409b66d4128ec7e9cc449a47f120799dfceef9f6399c8214557bb004be5499885a966a7fad452b83428251b68be425854
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b