Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 07:50
Static task
static1
Behavioral task
behavioral1
Sample
1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
-
Size
282KB
-
MD5
1a7f966efc28f7db47e99f4cad688a5e
-
SHA1
315556a44bf5937cb4c031c06e733cd0ea87b475
-
SHA256
660ba8f32c96a618aa9e8ee472a742564a0dd02d4dc1ce4131dfc36ab1a52c0c
-
SHA512
32af17f6157c2523160691f06299ccd6c670f03ffac01eac57c1f398eb04b8b7452889df9704a7089382a0bd6112c100f0d3dbe0c5f5cbe6e4e4c18f64afb048
-
SSDEEP
6144:h8X1kpAxaXKXKwg0Uop6e+EGGB7JolHqN3x6km0r:il0AxaX/if6BocHY3r
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2908-13-0x0000000000400000-0x000000000054E4EC-memory.dmp modiloader_stage2 behavioral1/memory/3060-23-0x0000000000400000-0x000000000054E4EC-memory.dmp modiloader_stage2 behavioral1/memory/2908-19-0x00000000030D0000-0x000000000321F000-memory.dmp modiloader_stage2 behavioral1/memory/3060-27-0x0000000000400000-0x000000000054E4EC-memory.dmp modiloader_stage2 behavioral1/memory/2908-34-0x0000000000400000-0x000000000054E4EC-memory.dmp modiloader_stage2 behavioral1/memory/3060-36-0x0000000000400000-0x000000000054E4EC-memory.dmp modiloader_stage2 behavioral1/memory/2908-44-0x0000000000400000-0x000000000054E4EC-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2720 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
re101.exepid process 3060 re101.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exedescription ioc process File opened (read-only) \??\T: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\Y: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\B: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\K: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\L: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\O: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\R: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\S: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\G: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\P: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\W: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\U: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\V: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\A: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\E: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\H: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\I: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\J: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\N: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\Z: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\M: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\Q: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened (read-only) \??\X: 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exedescription ioc process File created C:\AutoRun.inf 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened for modification C:\AutoRun.inf 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File created F:\AutoRun.inf 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened for modification F:\AutoRun.inf 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
Processes:
re101.exedescription ioc process File opened for modification C:\Windows\SysWOW64\_re101.exe re101.exe File created C:\Windows\SysWOW64\_re101.exe re101.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
re101.exedescription pid process target process PID 3060 set thread context of 2712 3060 re101.exe osk.exe -
Drops file in Windows directory 3 IoCs
Processes:
1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exedescription ioc process File created C:\Windows\re101.exe 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File opened for modification C:\Windows\re101.exe 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe File created C:\Windows\DelSvel.bat 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2792 3060 WerFault.exe re101.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exere101.exedescription pid process target process PID 2908 wrote to memory of 3060 2908 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe re101.exe PID 2908 wrote to memory of 3060 2908 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe re101.exe PID 2908 wrote to memory of 3060 2908 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe re101.exe PID 2908 wrote to memory of 3060 2908 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe re101.exe PID 3060 wrote to memory of 2712 3060 re101.exe osk.exe PID 3060 wrote to memory of 2712 3060 re101.exe osk.exe PID 3060 wrote to memory of 2712 3060 re101.exe osk.exe PID 3060 wrote to memory of 2712 3060 re101.exe osk.exe PID 3060 wrote to memory of 2712 3060 re101.exe osk.exe PID 3060 wrote to memory of 2712 3060 re101.exe osk.exe PID 3060 wrote to memory of 2792 3060 re101.exe WerFault.exe PID 3060 wrote to memory of 2792 3060 re101.exe WerFault.exe PID 3060 wrote to memory of 2792 3060 re101.exe WerFault.exe PID 3060 wrote to memory of 2792 3060 re101.exe WerFault.exe PID 2908 wrote to memory of 2720 2908 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe cmd.exe PID 2908 wrote to memory of 2720 2908 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe cmd.exe PID 2908 wrote to memory of 2720 2908 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe cmd.exe PID 2908 wrote to memory of 2720 2908 1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\re101.exeC:\Windows\re101.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\osk.exe"C:\Windows\system32\osk.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 2803⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\DelSvel.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\DelSvel.batFilesize
212B
MD5c952f506817ab0a64ccb7f5318ef451e
SHA1a0d41cbfbb6195a612b0fd8f22b336399c0b3e16
SHA256cbd55ed4294429cd13699aed7ef7dfdd77f81c6751c928afb65738813cc0a088
SHA512b0f4836976b46b8cb6f93c07064a516d5a22a89616c74bb6efd99a5351be5feeebf8d5f1d8dece4474b4ff033d568ac26f35bcab3ea4e278441c77a4e1bbb3de
-
F:\re101.exeFilesize
282KB
MD51a7f966efc28f7db47e99f4cad688a5e
SHA1315556a44bf5937cb4c031c06e733cd0ea87b475
SHA256660ba8f32c96a618aa9e8ee472a742564a0dd02d4dc1ce4131dfc36ab1a52c0c
SHA51232af17f6157c2523160691f06299ccd6c670f03ffac01eac57c1f398eb04b8b7452889df9704a7089382a0bd6112c100f0d3dbe0c5f5cbe6e4e4c18f64afb048
-
memory/2712-32-0x0000000000400000-0x000000000054F000-memory.dmpFilesize
1.3MB
-
memory/2712-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2908-0-0x0000000000400000-0x000000000054E4EC-memory.dmpFilesize
1.3MB
-
memory/2908-35-0x000000000054B000-0x000000000054D000-memory.dmpFilesize
8KB
-
memory/2908-44-0x0000000000400000-0x000000000054E4EC-memory.dmpFilesize
1.3MB
-
memory/2908-1-0x000000000054B000-0x000000000054D000-memory.dmpFilesize
8KB
-
memory/2908-20-0x00000000030D0000-0x000000000321F000-memory.dmpFilesize
1.3MB
-
memory/2908-19-0x00000000030D0000-0x000000000321F000-memory.dmpFilesize
1.3MB
-
memory/2908-2-0x0000000000400000-0x000000000054E4EC-memory.dmpFilesize
1.3MB
-
memory/2908-34-0x0000000000400000-0x000000000054E4EC-memory.dmpFilesize
1.3MB
-
memory/2908-13-0x0000000000400000-0x000000000054E4EC-memory.dmpFilesize
1.3MB
-
memory/3060-27-0x0000000000400000-0x000000000054E4EC-memory.dmpFilesize
1.3MB
-
memory/3060-23-0x0000000000400000-0x000000000054E4EC-memory.dmpFilesize
1.3MB
-
memory/3060-36-0x0000000000400000-0x000000000054E4EC-memory.dmpFilesize
1.3MB
-
memory/3060-21-0x0000000000400000-0x000000000054E4EC-memory.dmpFilesize
1.3MB
-
memory/3060-22-0x0000000000400000-0x000000000054E4EC-memory.dmpFilesize
1.3MB