Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
01-07-2024 13:05
General
-
Target
1b68c1b28122776e25be7d01e29aba23_JaffaCakes118.exe
-
Size
449KB
-
MD5
1b68c1b28122776e25be7d01e29aba23
-
SHA1
aa865b99291d7630910ece3f956d32fec2626d85
-
SHA256
dcadfd906850de7d6c5574d66fbef10485fdaa84429e7fb974f24cf0e9170a66
-
SHA512
20f10c29a5a3ce56f4989cb946c1deb973f25a9c235f605999981cdf00c5b6d7b419b519c02bd3dee1df93513b996ba2b8ab491a3642c56f26cdfdf2dbbf35cb
-
SSDEEP
12288:RMAOOl1nD7UHf5Zm46GByHmYetaIEWYRB3lpov:RrXncHf5k46MYmRaTWYdpo
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 13 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Program crash 1 IoCs
-
Modifies registry class 6 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b68c1b28122776e25be7d01e29aba23_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b68c1b28122776e25be7d01e29aba23_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice46.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice46.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 3043⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SgotoDel.batFilesize
212B
MD5e0460ce329af17c683546941917cc090
SHA1f65f3356ee64143e0e1c9b408e968916f98f44a7
SHA25637324d2f6dce7366401c80e8d209986abfec1ebd7702e0774a4023c7d9a5d5fa
SHA5124407a1c33ebef1cc89a45b8feb26e9384387c4cc0dee5b6693b85aba48b8220c5f7b294daf8a4a91022197562d4323cdaa94acb30ceb2bd8c47ade4cb47086f4
-
F:\rejoice46.exeFilesize
449KB
MD51b68c1b28122776e25be7d01e29aba23
SHA1aa865b99291d7630910ece3f956d32fec2626d85
SHA256dcadfd906850de7d6c5574d66fbef10485fdaa84429e7fb974f24cf0e9170a66
SHA51220f10c29a5a3ce56f4989cb946c1deb973f25a9c235f605999981cdf00c5b6d7b419b519c02bd3dee1df93513b996ba2b8ab491a3642c56f26cdfdf2dbbf35cb
-
memory/1856-28-0x00000000037B0000-0x0000000003902000-memory.dmpFilesize
1.3MB
-
memory/1856-55-0x0000000000401000-0x00000000004E1000-memory.dmpFilesize
896KB
-
memory/1856-1-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/1856-17-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/1856-18-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/1856-3-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/1856-5-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/1856-19-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/1856-27-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/1856-54-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/1856-6-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/1856-4-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/1856-2-0x0000000000401000-0x00000000004E1000-memory.dmpFilesize
896KB
-
memory/1856-34-0x00000000037B0000-0x0000000003902000-memory.dmpFilesize
1.3MB
-
memory/1856-45-0x00000000037B0000-0x0000000003902000-memory.dmpFilesize
1.3MB
-
memory/1856-44-0x0000000000401000-0x00000000004E1000-memory.dmpFilesize
896KB
-
memory/2412-46-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/2412-29-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/2412-35-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/2412-33-0x0000000000400000-0x0000000000551500-memory.dmpFilesize
1.3MB
-
memory/3000-39-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/3000-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3000-37-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB