Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 11:13
Static task
static1
Behavioral task
behavioral1
Sample
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe
-
Size
51KB
-
MD5
19e81e0a521ec0ce0608cd855796512c
-
SHA1
e403727a1d0b1eae0a697142b55dcb621f8539fe
-
SHA256
d6346d093c870ad5274cb12973792c096acbefc5be33974039a5eaa2f922670d
-
SHA512
48ce49918781247f351ab60e041c681c94e64eacd4520c38d4ba9fc59240f2bb4cddc136818ef516f9bd370ab16084eb91749eabde209404212c1b63a4d8a486
-
SSDEEP
768:u+9LZQAX5ZPpO/5eR6N+Nw6bDr9+JGDO9iX8OSuLDIjBN8LOPMJafST2rs4Kjag4:V3Z6N+NTb/cGVSQ0b8LOPMJNEshjN4
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1412-11-0x0000000000400000-0x000000000041A000-memory.dmp modiloader_stage2 behavioral2/memory/1412-16-0x0000000000400000-0x000000000041A000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
WinUpdate.exeSetup.txtpid process 1412 WinUpdate.exe 2260 Setup.txt -
Processes:
resource yara_rule C:\Windows\SysWOW64\WINUPDATE.EXE upx behavioral2/memory/1412-11-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/1412-16-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
Processes:
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exeWinUpdate.exedescription ioc process File created C:\Windows\SysWOW64\RESTART.EXE 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe File created C:\Windows\SysWOW64\SHELLSETUP.DLL 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe File created C:\Windows\SysWOW64\WINUPDATE.EXE 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ShellSetup.dll WinUpdate.exe File created C:\Windows\SysWOW64\Trojan.exe WinUpdate.exe File created C:\Windows\SysWOW64\Setup.txt WinUpdate.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.txtdescription pid process target process PID 2260 set thread context of 3252 2260 Setup.txt Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WinUpdate.exepid process 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe 1412 WinUpdate.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exeWinUpdate.execmd.exeSetup.txtdescription pid process target process PID 4524 wrote to memory of 1412 4524 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe WinUpdate.exe PID 4524 wrote to memory of 1412 4524 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe WinUpdate.exe PID 4524 wrote to memory of 1412 4524 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe WinUpdate.exe PID 1412 wrote to memory of 3588 1412 WinUpdate.exe cmd.exe PID 1412 wrote to memory of 3588 1412 WinUpdate.exe cmd.exe PID 1412 wrote to memory of 3588 1412 WinUpdate.exe cmd.exe PID 3588 wrote to memory of 2260 3588 cmd.exe Setup.txt PID 3588 wrote to memory of 2260 3588 cmd.exe Setup.txt PID 3588 wrote to memory of 2260 3588 cmd.exe Setup.txt PID 2260 wrote to memory of 3252 2260 Setup.txt Explorer.EXE PID 2260 wrote to memory of 3252 2260 Setup.txt Explorer.EXE PID 2260 wrote to memory of 3252 2260 Setup.txt Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WinUpdate.exe"C:\Windows\system32\WinUpdate.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\system32\Setup.txt4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Setup.txtC:\Windows\system32\Setup.txt5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Setup.txtFilesize
7KB
MD50d2c318ab5f5968488d6dc742249f129
SHA1e4e9cc5fb7fc530d752bca73136cb6e6e95bcb98
SHA256297cbbae4b1327bc56bcdacf4abcf1a1332d62d78fb1c93d4914e9e91f9443a9
SHA512f40c437ec59ceb921e31c3f4a3aa28ba7f9fef750218532766e8f5ec3755567050b8583383837bca1bd8c220c147cf23dc846571f535b0a8ef6b2f350205952a
-
C:\Windows\SysWOW64\ShellSetup.dllFilesize
7KB
MD5eeec4fdf33ecb2552d1ec36b069244f5
SHA134bb12c013988b3f73e231626cc86d36e12cd17a
SHA25607de02f48c2d00e13024dc3b41fda352c1aacc64b71472675091c5d07fb060c2
SHA5124c3127b486a2c6a9db4911dd21e3cb7565b36ad83b8b54abb47f947dde1844c56f074427cfbae8f22bd85d49bb1adf89df9f596c57c64603098db0aa1117b5fc
-
C:\Windows\SysWOW64\WINUPDATE.EXEFilesize
31KB
MD5d89838b3fdfd2392dc8a55a8dc6d791f
SHA1812c542860b05c1e5068b01cb91b3a1d0b99d931
SHA256a8ddd8798ca355a82c3262fd8c7e9e15e2506b45f5dcb41117a981fe3b9bd8cf
SHA51203ee1421940bf90baa21e36b8371181ea49c0be3ac0f1cace5769d75910d5579aa934444d5defa7120d32ffb82f7de5ad0e980195a37f7217d3225e3a0263bab
-
memory/1412-11-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1412-16-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2260-20-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/2260-21-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/4524-9-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB