Analysis
-
max time kernel
142s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 13:20
Static task
static1
Behavioral task
behavioral1
Sample
ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe
-
Size
594KB
-
MD5
ff5e2863440153305ea8cab67fecb2be
-
SHA1
5179ac947392efd76acf66ca6e2349a394f23b0e
-
SHA256
dcce71d13f61f3c0dbf69e8a4a57de81d41277b585b057b4ed6e0cf49a4bb3da
-
SHA512
6c4211f91609ce1eb743b278e70a5b87b22861d0ee3c718bc1d8070df31b25b716668752cb83278f77004287aef1d2ff9adebced9a1ef62b78b861bf45075286
-
SSDEEP
12288:Hx0FzFNxTG9ppkAUzEFHquQHnF3Z4mxxj7sIcOa/Y91TVK9:Hx0P69+ERQHnQmXnsINwr9
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4616-13-0x0000000000400000-0x000000000050A000-memory.dmp modiloader_stage2 -
Drops file in System32 directory 1 IoCs
Processes:
ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\FieleWay.txt ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exedescription pid process target process PID 4616 wrote to memory of 840 4616 ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe IEXPLORE.EXE PID 4616 wrote to memory of 840 4616 ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4616-0-0x0000000000400000-0x000000000050A000-memory.dmpFilesize
1.0MB
-
memory/4616-1-0x00000000022E0000-0x0000000002334000-memory.dmpFilesize
336KB
-
memory/4616-2-0x00000000024E0000-0x00000000024E1000-memory.dmpFilesize
4KB
-
memory/4616-3-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/4616-4-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/4616-5-0x00000000024A0000-0x00000000024A1000-memory.dmpFilesize
4KB
-
memory/4616-6-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/4616-7-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/4616-8-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/4616-9-0x0000000002520000-0x0000000002521000-memory.dmpFilesize
4KB
-
memory/4616-10-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/4616-11-0x00000000034A0000-0x00000000034A1000-memory.dmpFilesize
4KB
-
memory/4616-13-0x0000000000400000-0x000000000050A000-memory.dmpFilesize
1.0MB
-
memory/4616-14-0x00000000022E0000-0x0000000002334000-memory.dmpFilesize
336KB