Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 11:25
Behavioral task
behavioral1
Sample
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe
-
Size
719KB
-
MD5
2edeb2ff18dbc657dfb2e8aa3fd9fbc8
-
SHA1
821705cee1712031bfea83c1673ec59c83fa6693
-
SHA256
e275e10bea80834252aea1b5dba9a817b278b5c4a6d0594b01b1605de0b66f79
-
SHA512
d8899f5f928ddb48396c8351c31a65a8627010ac466b4c47b8e8af7a2a529f26e499a50cebbf84a563e762f4b986543b343835d67ce1b802651bcceaed632733
-
SSDEEP
12288:Z9s0WkglhZbd1S2XgKsIpCGUy7tkEccMtXVuOdeTqlTKFbso:ZnOhZbd1SbnKayxFKVu72lTKF/
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 6 IoCs
Processes:
resource yara_rule \Program Files (x86)\Server.exe modiloader_stage2 behavioral1/memory/1716-14-0x0000000000400000-0x00000000007BB000-memory.dmp modiloader_stage2 behavioral1/memory/1728-16-0x0000000000400000-0x00000000007BB000-memory.dmp modiloader_stage2 behavioral1/memory/1728-18-0x0000000000400000-0x00000000007BB000-memory.dmp modiloader_stage2 behavioral1/memory/1728-23-0x0000000000400000-0x00000000007BB000-memory.dmp modiloader_stage2 behavioral1/memory/1728-25-0x0000000000400000-0x00000000007BB000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2616 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 1728 Server.exe -
Loads dropped DLL 1 IoCs
Processes:
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exepid process 1716 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Server.exe = "C:\\Program Files (x86)\\Server.exe" 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe -
Drops file in Program Files directory 3 IoCs
Processes:
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Server.exe 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Server.exe 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe File created C:\Program Files (x86)\Delsx.bat 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Server.exedescription pid process Token: SeIncBasePriorityPrivilege 1728 Server.exe Token: SeIncBasePriorityPrivilege 1728 Server.exe Token: SeIncBasePriorityPrivilege 1728 Server.exe Token: SeIncBasePriorityPrivilege 1728 Server.exe Token: SeIncBasePriorityPrivilege 1728 Server.exe Token: SeIncBasePriorityPrivilege 1728 Server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exedescription pid process target process PID 1716 wrote to memory of 1728 1716 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe Server.exe PID 1716 wrote to memory of 1728 1716 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe Server.exe PID 1716 wrote to memory of 1728 1716 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe Server.exe PID 1716 wrote to memory of 1728 1716 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe Server.exe PID 1716 wrote to memory of 2616 1716 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe cmd.exe PID 1716 wrote to memory of 2616 1716 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe cmd.exe PID 1716 wrote to memory of 2616 1716 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe cmd.exe PID 1716 wrote to memory of 2616 1716 2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Program Files (x86)\Server.exe"C:\Program Files (x86)\Server.exe" -k2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\Delsx.bat""2⤵
- Deletes itself
PID:2616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Delsx.batFilesize
218B
MD5c180c739e96486267d2a4b547ef358f6
SHA1962691696b51120ad9118987f2876ec48fa40525
SHA256ee2b6a347d5aa3af3e18e46a61ccd0565b107e9736560bc21284da4c4e6adfba
SHA5121a411af0a545dfc36e3a93c7ce637eedd55ba8a85e2053201e359c7b43e631c9aa7e6da081620635b3cf82d06ba58c38af88a81f8d529dc24987d99d8a953a93
-
\Program Files (x86)\Server.exeFilesize
719KB
MD52edeb2ff18dbc657dfb2e8aa3fd9fbc8
SHA1821705cee1712031bfea83c1673ec59c83fa6693
SHA256e275e10bea80834252aea1b5dba9a817b278b5c4a6d0594b01b1605de0b66f79
SHA512d8899f5f928ddb48396c8351c31a65a8627010ac466b4c47b8e8af7a2a529f26e499a50cebbf84a563e762f4b986543b343835d67ce1b802651bcceaed632733
-
memory/1716-1-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/1716-14-0x0000000000400000-0x00000000007BB000-memory.dmpFilesize
3.7MB
-
memory/1728-6-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/1728-16-0x0000000000400000-0x00000000007BB000-memory.dmpFilesize
3.7MB
-
memory/1728-18-0x0000000000400000-0x00000000007BB000-memory.dmpFilesize
3.7MB
-
memory/1728-23-0x0000000000400000-0x00000000007BB000-memory.dmpFilesize
3.7MB
-
memory/1728-25-0x0000000000400000-0x00000000007BB000-memory.dmpFilesize
3.7MB