Analysis
-
max time kernel
105s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 16:56
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe
-
Size
690KB
-
MD5
98f07c63601aa396bdfee30007424e05
-
SHA1
146911c28b70fd104e3d204983f3217d6c23348f
-
SHA256
91c9db4d11b398d135a798acd354fe8f5b03537c85a97bb6190c6fce67cafa78
-
SHA512
26d8397416bed9f1685fa1ca9250db7682cedf21a59a37b948c1a0a09e29edc22df69c839a4bdb9d67417e8007b53f1859d927104dde09dbf0eb32a1313552cf
-
SSDEEP
12288:UxclaI4To3eFuWjJucE+tDYsvESNuK72BF3Z4mxxPOa/UtfO2UrgQ:Ux43WJtZlYg557GQmXDcNOPcQ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/1420-46-0x0000000000400000-0x0000000000523000-memory.dmp modiloader_stage2 behavioral2/memory/3276-49-0x0000000000400000-0x0000000000523000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 3276 rav.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\K: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\S: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\V: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\Y: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\M: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\N: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\T: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\U: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\E: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\W: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\X: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\Z: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\Q: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\B: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\G: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\H: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\L: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\O: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\P: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\R: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\A: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened (read-only) \??\I: JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\AutoRun.inf JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened for modification C:\AutoRun.inf JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File created F:\AutoRun.inf JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened for modification F:\AutoRun.inf JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_rav.exe rav.exe File opened for modification C:\Windows\SysWOW64\_rav.exe rav.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3276 set thread context of 2444 3276 rav.exe 92 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rav.exe JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rav.exe JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1512 2444 WerFault.exe 92 968 3276 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rav.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2444 calc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1420 wrote to memory of 3276 1420 JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe 91 PID 1420 wrote to memory of 3276 1420 JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe 91 PID 1420 wrote to memory of 3276 1420 JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe 91 PID 3276 wrote to memory of 2444 3276 rav.exe 92 PID 3276 wrote to memory of 2444 3276 rav.exe 92 PID 3276 wrote to memory of 2444 3276 rav.exe 92 PID 3276 wrote to memory of 2444 3276 rav.exe 92 PID 3276 wrote to memory of 2444 3276 rav.exe 92 PID 3276 wrote to memory of 2036 3276 rav.exe 94 PID 3276 wrote to memory of 2036 3276 rav.exe 94 PID 1420 wrote to memory of 4088 1420 JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe 100 PID 1420 wrote to memory of 4088 1420 JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe 100 PID 1420 wrote to memory of 4088 1420 JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rav.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rav.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
- Suspicious use of UnmapMainImage
PID:2444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 124⤵
- Program crash
PID:1512
-
-
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:2036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 6883⤵
- Program crash
PID:968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""2⤵
- System Location Discovery: System Language Discovery
PID:4088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2444 -ip 24441⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3276 -ip 32761⤵PID:2484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD57459f4b99cbc4ef5c2c4c77c6a4f835b
SHA16b5d78f7ec8c73c2c7e2814cc1752b8b28558838
SHA256876132d845fbb3d3134a88f01338f930411f4e5cd581b2d98046d1e9710de64c
SHA51259b1e8a7ad7334aa84de5ff31aa1cf41c39d0f8c129d18a8d44e1e913333fd217dc3555b3d1aeb451d37c1d15cd792de7dede429f5b3c8a0206c5db36ba9384b
-
Filesize
690KB
MD598f07c63601aa396bdfee30007424e05
SHA1146911c28b70fd104e3d204983f3217d6c23348f
SHA25691c9db4d11b398d135a798acd354fe8f5b03537c85a97bb6190c6fce67cafa78
SHA51226d8397416bed9f1685fa1ca9250db7682cedf21a59a37b948c1a0a09e29edc22df69c839a4bdb9d67417e8007b53f1859d927104dde09dbf0eb32a1313552cf