Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 05:19
Behavioral task
behavioral1
Sample
287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe
-
Size
131KB
-
MD5
287676aed2a794ab37b5d15e3b8240fc
-
SHA1
4843654fefae2b9acffda822e42b9e873f22e505
-
SHA256
6b642779294dbc484846ac080019d3254fef27adcb91941f1365668768f99a28
-
SHA512
da445b01f1c2dfc183169fadd1aef168759aab8d1a8f8c36e0d596df50e6bdc59e55143bc846efed3c1f37c91c5a209e5db19aa640ead0bd6f4c53c9ec1dce25
-
SSDEEP
3072:rqJROloR0U4OulGjb58Md5ejE3/wwGcYO9l:urOlKf49QVYcl
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule \Program Files\Common Files\Microsoft Shared\MSInfo\SysInfo.wmp modiloader_stage2 behavioral1/memory/2648-12-0x0000000000400000-0x0000000000419000-memory.dmp modiloader_stage2 -
Loads dropped DLL 2 IoCs
Processes:
287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exeDllHost.exepid process 2648 287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe 3004 DllHost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll 287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll 287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp 287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp 287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 3004 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exepid process 2648 287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2648
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD583ff7b981e81388e22b4f5a44855b29f
SHA11762e76a2ba0646327925e646aa9f0dbc685e312
SHA256596b30d5b0bddcbcc26e945f101d50b02e99aab67f3b44805d82e2eabd19f225
SHA5123846d6e06cd47381941dba6b8d0275c4e3d5aa70f47d71f50c8546e074e8c8d411cf66b50f570853c207e1404441c887bb3feccef20993decd8999dfa086fba2
-
Filesize
48KB
MD5c4e1241f08a79f77098d2373e42a6abd
SHA15f30ffdc1ddf90cee4a924c5a84a22ca29896f19
SHA256fb5bf9ecd9e3b840c5d168e568c94c5e73ee961ad4fe476e935040f934b675ff
SHA5122c67f0ee3ebe3ec40be1ec8b244b98e62c7721befd8277bb9b66e36e29e46e27b7d37c588099f4376783568e76ae8d3778676a27d205e08cd6309c79015f441a