Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 01:13
Behavioral task
behavioral1
Sample
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe
-
Size
356KB
-
MD5
183eb38e6f8325b9c0841e29e5ad54ad
-
SHA1
050a05945e9d6200d7a38b66d72273972cb7c4bd
-
SHA256
08f8a8d98146521aec865b97ae8968208503580b04c3a61c8131e1ad1f94fc85
-
SHA512
827b923067d41002b01047d5bdd56b6f6ab4c169d81f78b789d8984d0dd0de6a770172d2d1c5f428636ebd647512cbd5e149a58030dadb8e237fe4eaa42db287
-
SSDEEP
6144:jWieYPVY7dSsxYomneDJ0JNWjJPDszxYc8MBnr1N05xq8kzBZ474+eQV/otb7KOa:saVsYomn60JgjJPDs1BlBrr05xb/EQ2
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2988-12-0x0000000000400000-0x000000000054A000-memory.dmp modiloader_stage2 behavioral1/memory/2916-30-0x0000000000400000-0x00000000005BC000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
msnmsgr.exeldapi32.exepid process 2916 msnmsgr.exe 2712 ldapi32.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
Processes:
msnmsgr.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc msnmsgr.exe -
Loads dropped DLL 4 IoCs
Processes:
msnmsgr.exepid process 2916 msnmsgr.exe 2916 msnmsgr.exe 2916 msnmsgr.exe 2916 msnmsgr.exe -
Processes:
resource yara_rule behavioral1/memory/2988-0-0x0000000000400000-0x000000000054A000-memory.dmp upx C:\Windows\msnmsgr.exe upx behavioral1/memory/2916-13-0x0000000000400000-0x00000000005BC000-memory.dmp upx behavioral1/memory/2988-12-0x0000000000400000-0x000000000054A000-memory.dmp upx behavioral1/memory/2988-10-0x0000000004A20000-0x0000000004BDC000-memory.dmp upx behavioral1/memory/2916-30-0x0000000000400000-0x00000000005BC000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsgr = "C:\\Windows\\msnmsgr.exe" 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
Processes:
msnmsgr.exedescription ioc process File created C:\Windows\SysWOW64\ntswrl32.dll msnmsgr.exe File created C:\Windows\SysWOW64\ntcvx32.dll msnmsgr.exe File created C:\Windows\SysWOW64\ldapi32.exe msnmsgr.exe -
Drops file in Windows directory 2 IoCs
Processes:
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exedescription ioc process File created C:\Windows\msnmsgr.exe 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe File opened for modification C:\Windows\msnmsgr.exe 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ldapi32.exedescription pid process Token: SeDebugPrivilege 2712 ldapi32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msnmsgr.exepid process 2916 msnmsgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exemsnmsgr.exedescription pid process target process PID 2988 wrote to memory of 2916 2988 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe msnmsgr.exe PID 2988 wrote to memory of 2916 2988 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe msnmsgr.exe PID 2988 wrote to memory of 2916 2988 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe msnmsgr.exe PID 2988 wrote to memory of 2916 2988 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe msnmsgr.exe PID 2916 wrote to memory of 2712 2916 msnmsgr.exe ldapi32.exe PID 2916 wrote to memory of 2712 2916 msnmsgr.exe ldapi32.exe PID 2916 wrote to memory of 2712 2916 msnmsgr.exe ldapi32.exe PID 2916 wrote to memory of 2712 2916 msnmsgr.exe ldapi32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\msnmsgr.exe"C:\Windows\msnmsgr.exe"2⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ldapi32.exeC:\Windows\system32\ldapi32.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\msnmsgr.exeFilesize
316KB
MD502edc45fa5b103992445370695bc52e5
SHA132f765f906bf6bbd9fa4466a7602460bb7470d79
SHA256d486b3777e5ea22d671dc3731b69c3b18c7fa55fe82f712651a73aa02d17ab20
SHA512799c75a3af5927d0d0565a099c9098a008f7a44e7851b138c14473371a231b1c0db8cc8d57d53e8e3cf74b7fb668ff538e6437ae9cb08cdaa0f469e06c0499e5
-
\Windows\SysWOW64\ldapi32.exeFilesize
20KB
MD592acb5d55bc589ea424d174b31f76686
SHA11f9f023b1ae0b1be5c397fe103ac520b371fbd6b
SHA2563bea383242a4439634618a86993c8e70c43cb8810e5324f3f9c6b9cbe7b3ead4
SHA512e89ea8bf0b6c2bd11072a5d455e67b2b8470292dfb8382a3bfb5da4a409b86390a62f448e7cdd496f286b1ac4097436efd83e886ae5b45accda6da7dc4d9938e
-
\Windows\SysWOW64\ntswrl32.dllFilesize
11KB
MD5638f5a55fb714b6039ae0ace0ee70e44
SHA17b47cdf023822722b3b81e936cb16fbecb00babc
SHA2567d671074387a6885c5a4815165242720be442689e276cf64cc376da49080bb1f
SHA51268f8fb741566d9e4cb2a420a3fe179db59b29f9ab5f9aee7fd5312e1e7f0991b4d1491b2e557374ca7c4f3aee8948201721408601f68f9f86d36a4df5947e357
-
memory/2712-27-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2916-13-0x0000000000400000-0x00000000005BC000-memory.dmpFilesize
1.7MB
-
memory/2916-31-0x0000000000640000-0x0000000000649000-memory.dmpFilesize
36KB
-
memory/2916-30-0x0000000000400000-0x00000000005BC000-memory.dmpFilesize
1.7MB
-
memory/2916-47-0x0000000000640000-0x0000000000649000-memory.dmpFilesize
36KB
-
memory/2988-0-0x0000000000400000-0x000000000054A000-memory.dmpFilesize
1.3MB
-
memory/2988-12-0x0000000000400000-0x000000000054A000-memory.dmpFilesize
1.3MB
-
memory/2988-11-0x0000000004A20000-0x0000000004BDC000-memory.dmpFilesize
1.7MB
-
memory/2988-10-0x0000000004A20000-0x0000000004BDC000-memory.dmpFilesize
1.7MB