Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 20:22
Behavioral task
behavioral1
Sample
JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe
-
Size
255KB
-
MD5
97d9cf132d4984352f9e4d5b54a37ddb
-
SHA1
370f724f4caae8e2753e13be6e417d0d0b18ca97
-
SHA256
de0378936cb107b5bc6825ea9a8a399d0f3804c8929a0e421de180eb658814e8
-
SHA512
79113a58d0d422b2120b7a2a981c9d30582b94ead86366578a268fb050a680a554a1eb373778ca303f2cbadf1165f1fe9f8222faeacdd9fa599bc619f453a393
-
SSDEEP
6144:uBZY+J0UFuiYqt27FpxxLD+4WZMXE8lnzDZoA06u9SE9+CI:uBZPekH237LUd8lJosu9r
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 11 IoCs
resource yara_rule behavioral2/memory/3268-4-0x0000000000447000-0x000000000046D000-memory.dmp modiloader_stage2 behavioral2/memory/3268-5-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 behavioral2/memory/3268-6-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 behavioral2/memory/4508-11-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 behavioral2/memory/4508-12-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 behavioral2/memory/4508-13-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 behavioral2/memory/3268-14-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 behavioral2/memory/3268-15-0x0000000000447000-0x000000000046D000-memory.dmp modiloader_stage2 behavioral2/memory/4508-16-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 behavioral2/memory/4508-17-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 behavioral2/memory/3268-26-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe" JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe" JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe -
resource yara_rule behavioral2/memory/3268-0-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/3268-2-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/3268-5-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/3268-6-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/files/0x00070000000241c0-7.dat upx behavioral2/memory/4508-8-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/4508-11-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/4508-12-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/4508-13-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/3268-14-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/4508-16-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/4508-17-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/3268-26-0x0000000000400000-0x000000000047C000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920955164-3782810283-1225622749-1000\{60EC9413-6837-49B4-903C-D9884794F28A} explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 3268 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe 4508 JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 1304 explorer.exe Token: SeCreatePagefilePrivilege 1304 explorer.exe Token: SeShutdownPrivilege 1304 explorer.exe Token: SeCreatePagefilePrivilege 1304 explorer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4564 wrote to memory of 4508 4564 cmd.exe 88 PID 4564 wrote to memory of 4508 4564 cmd.exe 88 PID 4564 wrote to memory of 4508 4564 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe"1⤵
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97d9cf132d4984352f9e4d5b54a37ddb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4508
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD597d9cf132d4984352f9e4d5b54a37ddb
SHA1370f724f4caae8e2753e13be6e417d0d0b18ca97
SHA256de0378936cb107b5bc6825ea9a8a399d0f3804c8929a0e421de180eb658814e8
SHA51279113a58d0d422b2120b7a2a981c9d30582b94ead86366578a268fb050a680a554a1eb373778ca303f2cbadf1165f1fe9f8222faeacdd9fa599bc619f453a393