Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 11:01
Static task
static1
Behavioral task
behavioral1
Sample
19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe
-
Size
44KB
-
MD5
19e08011fb339f18cbb5d2c2c85db3a6
-
SHA1
c7f2ff109124c4fcd12c1578da3ec07d0061644f
-
SHA256
5a65e6273b9245dca62c3b5ccb748fb53898827074f3f2609ba9b39ea3e1cedb
-
SHA512
e67eae6681499334394f9a68baea629c8c8510f23dd129dffa644ea702f797aae23890af42a3b43390860f9f61c41968fdaf768fb5b01fc99b8b0d4a9eb1d0d1
-
SSDEEP
768:TzB4YaZ6uCKMrsRP1kQOvi7Q7uWPFz0EJ0PtuOi68FD7X9M9s8ecZuff/Ym6/IB4:TCYaZ9hRP8vi74FgEJ017i9FnONAfYmE
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2092-14-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 -
Drops file in Drivers directory 1 IoCs
Processes:
19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2668 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\SOFTWARE\Microsoft\Internet Explorer\Main reg.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\start page = "www.hao123.cn" reg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exedescription pid process Token: SeSystemtimePrivilege 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe Token: SeSystemtimePrivilege 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.execmd.exedescription pid process target process PID 2092 wrote to memory of 2164 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 2164 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 2164 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 2164 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe cmd.exe PID 2164 wrote to memory of 2612 2164 cmd.exe reg.exe PID 2164 wrote to memory of 2612 2164 cmd.exe reg.exe PID 2164 wrote to memory of 2612 2164 cmd.exe reg.exe PID 2164 wrote to memory of 2612 2164 cmd.exe reg.exe PID 2092 wrote to memory of 2668 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 2668 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 2668 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 2668 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main" /v "start page" /t REG_SZ /d www.hao123.cn /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main" /v "start page" /t REG_SZ /d www.hao123.cn /f3⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\SysWOW64\cmd.execmd /c t4nk.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\t4nk.batFilesize
225B
MD5eb92d19e767e89b8cb2d0b7b834c4bcb
SHA15268f1debd4cb0390d0b6f476cf1da774cfe78f4
SHA2560a5c60ee6c25d835380c2efa49d268ca07184b2de7251b62c79adb84632e8a05
SHA512c5883c131653a3180749de5de8f4210ed1076d5016f5656e3293ef58b67f5b4e1e2e9e45a2fbc517626b7ee2dd64d298d1a0fc5034b07e34e0c5e267f6106fdd
-
memory/2092-14-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB