Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 14:47
Behavioral task
behavioral1
Sample
1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe
-
Size
395KB
-
MD5
1bb53a0474ca84455096ced24df6e27e
-
SHA1
39d6ba87aa3ddda458422054d0ada4a0b05c7156
-
SHA256
75faf0f399d54ca80a73cdf19668db270044b2f0397e8236de3064bc7d81c5aa
-
SHA512
092ae628a13925220c85e395a0d9dc56197478e156fb52a80babeccc3e369d18cb6377bf49fced35d6a4d8daef16748077bc852e7ae241a99826f3ba7116a722
-
SSDEEP
6144:TCBljPlNn6RVwHsA6nIRmxy9XZj6Lv0BUwuLNYafwsU3yylogJCcmFsluASMw2K1:GB5Pr6MFBXsQBUws+WU3dlo4CcmGXKe
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\IXP000.TMP\SX_SER~1.EXE modiloader_stage2 behavioral1/memory/2936-8-0x0000000000D40000-0x0000000000E00000-memory.dmp modiloader_stage2 behavioral1/memory/3036-11-0x0000000000400000-0x00000000004BF400-memory.dmp modiloader_stage2 behavioral1/memory/3036-15-0x0000000000400000-0x00000000004BF400-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
SX_SER~1.EXEpid process 3036 SX_SER~1.EXE -
Loads dropped DLL 2 IoCs
Processes:
1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exeSX_SER~1.EXEpid process 2936 1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe 3036 SX_SER~1.EXE -
Processes:
resource yara_rule behavioral1/memory/2936-0-0x0000000001000000-0x00000000010C4000-memory.dmp vmprotect behavioral1/memory/2936-2-0x0000000001000000-0x00000000010C4000-memory.dmp vmprotect behavioral1/memory/2936-16-0x0000000001000000-0x00000000010C4000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
Processes:
SX_SER~1.EXEdescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\2010.txt SX_SER~1.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exeSX_SER~1.EXEdescription pid process target process PID 2936 wrote to memory of 3036 2936 1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe SX_SER~1.EXE PID 2936 wrote to memory of 3036 2936 1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe SX_SER~1.EXE PID 2936 wrote to memory of 3036 2936 1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe SX_SER~1.EXE PID 2936 wrote to memory of 3036 2936 1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe SX_SER~1.EXE PID 2936 wrote to memory of 3036 2936 1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe SX_SER~1.EXE PID 2936 wrote to memory of 3036 2936 1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe SX_SER~1.EXE PID 2936 wrote to memory of 3036 2936 1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe SX_SER~1.EXE PID 3036 wrote to memory of 2624 3036 SX_SER~1.EXE IEXPLORE.EXE PID 3036 wrote to memory of 2624 3036 SX_SER~1.EXE IEXPLORE.EXE PID 3036 wrote to memory of 2624 3036 SX_SER~1.EXE IEXPLORE.EXE PID 3036 wrote to memory of 2624 3036 SX_SER~1.EXE IEXPLORE.EXE PID 3036 wrote to memory of 2624 3036 SX_SER~1.EXE IEXPLORE.EXE PID 3036 wrote to memory of 2624 3036 SX_SER~1.EXE IEXPLORE.EXE PID 3036 wrote to memory of 2624 3036 SX_SER~1.EXE IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SX_SER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SX_SER~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SX_SER~1.EXEFilesize
686KB
MD5af91da5a4d64f8f9e83fecbf3279d1ec
SHA1b8ead09a62a86930039519518a6c3bebadb4764d
SHA25609f426a939617e995169227865a202cb952907c842b5a602e7ea29b013fb5b62
SHA5127e3bd63c7c25735d7c77c636201ffbd93ff3792a86331a870bf0e57cf796a2000e4d983e3a1bcc7b9bbcdecb957cfccabf5f56c72537d5396b2140fd8c3dbcc9
-
memory/2936-0-0x0000000001000000-0x00000000010C4000-memory.dmpFilesize
784KB
-
memory/2936-1-0x00000000010B3000-0x00000000010B5000-memory.dmpFilesize
8KB
-
memory/2936-2-0x0000000001000000-0x00000000010C4000-memory.dmpFilesize
784KB
-
memory/2936-8-0x0000000000D40000-0x0000000000E00000-memory.dmpFilesize
768KB
-
memory/2936-16-0x0000000001000000-0x00000000010C4000-memory.dmpFilesize
784KB
-
memory/3036-11-0x0000000000400000-0x00000000004BF400-memory.dmpFilesize
765KB
-
memory/3036-15-0x0000000000400000-0x00000000004BF400-memory.dmpFilesize
765KB