Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 01:13
Behavioral task
behavioral1
Sample
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe
-
Size
356KB
-
MD5
183eb38e6f8325b9c0841e29e5ad54ad
-
SHA1
050a05945e9d6200d7a38b66d72273972cb7c4bd
-
SHA256
08f8a8d98146521aec865b97ae8968208503580b04c3a61c8131e1ad1f94fc85
-
SHA512
827b923067d41002b01047d5bdd56b6f6ab4c169d81f78b789d8984d0dd0de6a770172d2d1c5f428636ebd647512cbd5e149a58030dadb8e237fe4eaa42db287
-
SSDEEP
6144:jWieYPVY7dSsxYomneDJ0JNWjJPDszxYc8MBnr1N05xq8kzBZ474+eQV/otb7KOa:saVsYomn60JgjJPDs1BlBrr05xb/EQ2
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2736-34-0x0000000000400000-0x000000000054A000-memory.dmp modiloader_stage2 behavioral2/memory/3600-54-0x0000000000400000-0x00000000005BC000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
msnmsgr.exeldapi32.exepid process 3600 msnmsgr.exe 2820 ldapi32.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
Processes:
msnmsgr.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys msnmsgr.exe -
Loads dropped DLL 4 IoCs
Processes:
msnmsgr.exepid process 3600 msnmsgr.exe 3600 msnmsgr.exe 3600 msnmsgr.exe 3600 msnmsgr.exe -
Processes:
resource yara_rule behavioral2/memory/2736-0-0x0000000000400000-0x000000000054A000-memory.dmp upx C:\Windows\msnmsgr.exe upx behavioral2/memory/3600-35-0x0000000000400000-0x00000000005BC000-memory.dmp upx behavioral2/memory/2736-34-0x0000000000400000-0x000000000054A000-memory.dmp upx behavioral2/memory/3600-54-0x0000000000400000-0x00000000005BC000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsgr = "C:\\Windows\\msnmsgr.exe" 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
Processes:
msnmsgr.exedescription ioc process File created C:\Windows\SysWOW64\ntswrl32.dll msnmsgr.exe File created C:\Windows\SysWOW64\ntcvx32.dll msnmsgr.exe File created C:\Windows\SysWOW64\ldapi32.exe msnmsgr.exe -
Drops file in Windows directory 2 IoCs
Processes:
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exedescription ioc process File created C:\Windows\msnmsgr.exe 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe File opened for modification C:\Windows\msnmsgr.exe 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ldapi32.exedescription pid process Token: SeDebugPrivilege 2820 ldapi32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msnmsgr.exepid process 3600 msnmsgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exemsnmsgr.exedescription pid process target process PID 2736 wrote to memory of 3600 2736 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe msnmsgr.exe PID 2736 wrote to memory of 3600 2736 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe msnmsgr.exe PID 2736 wrote to memory of 3600 2736 183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe msnmsgr.exe PID 3600 wrote to memory of 2820 3600 msnmsgr.exe ldapi32.exe PID 3600 wrote to memory of 2820 3600 msnmsgr.exe ldapi32.exe PID 3600 wrote to memory of 2820 3600 msnmsgr.exe ldapi32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\msnmsgr.exe"C:\Windows\msnmsgr.exe"2⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ldapi32.exeC:\Windows\system32\ldapi32.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\ldapi32.exeFilesize
20KB
MD592acb5d55bc589ea424d174b31f76686
SHA11f9f023b1ae0b1be5c397fe103ac520b371fbd6b
SHA2563bea383242a4439634618a86993c8e70c43cb8810e5324f3f9c6b9cbe7b3ead4
SHA512e89ea8bf0b6c2bd11072a5d455e67b2b8470292dfb8382a3bfb5da4a409b86390a62f448e7cdd496f286b1ac4097436efd83e886ae5b45accda6da7dc4d9938e
-
C:\Windows\SysWOW64\ntswrl32.dllFilesize
11KB
MD5638f5a55fb714b6039ae0ace0ee70e44
SHA17b47cdf023822722b3b81e936cb16fbecb00babc
SHA2567d671074387a6885c5a4815165242720be442689e276cf64cc376da49080bb1f
SHA51268f8fb741566d9e4cb2a420a3fe179db59b29f9ab5f9aee7fd5312e1e7f0991b4d1491b2e557374ca7c4f3aee8948201721408601f68f9f86d36a4df5947e357
-
C:\Windows\msnmsgr.exeFilesize
316KB
MD502edc45fa5b103992445370695bc52e5
SHA132f765f906bf6bbd9fa4466a7602460bb7470d79
SHA256d486b3777e5ea22d671dc3731b69c3b18c7fa55fe82f712651a73aa02d17ab20
SHA512799c75a3af5927d0d0565a099c9098a008f7a44e7851b138c14473371a231b1c0db8cc8d57d53e8e3cf74b7fb668ff538e6437ae9cb08cdaa0f469e06c0499e5
-
memory/2736-0-0x0000000000400000-0x000000000054A000-memory.dmpFilesize
1.3MB
-
memory/2736-34-0x0000000000400000-0x000000000054A000-memory.dmpFilesize
1.3MB
-
memory/2820-48-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3600-35-0x0000000000400000-0x00000000005BC000-memory.dmpFilesize
1.7MB
-
memory/3600-36-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/3600-55-0x0000000002B20000-0x0000000002B29000-memory.dmpFilesize
36KB
-
memory/3600-54-0x0000000000400000-0x00000000005BC000-memory.dmpFilesize
1.7MB
-
memory/3600-58-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB