Analysis
-
max time kernel
51s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 22:34
Static task
static1
Behavioral task
behavioral1
Sample
00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe
-
Size
35KB
-
MD5
00e82d1749e5d636fe123145909535a8
-
SHA1
9fda3372cd164e49893e7e7d0dccee8a84cd3413
-
SHA256
3d13bd742354c37651adaad71091c9510db0e596570bcc8497efbf98e2521bd1
-
SHA512
81f44098588f52b2ff9282a4c485ef224dcea04aeb0553902e14ff8997ae4097cf02e2ba04703683cc308b63ca13a98c62b89fbf9a7b4bf0df1e63e11479ba51
-
SSDEEP
768:p11ZCrVD1tuLAXGX2g0ClGe65c+azbKUKrxLiZEK8hKuuTYe0IRl:X2VZMkXGn8XcUxeZEK8UxVRl
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/624-9-0x0000000000590000-0x00000000005AF000-memory.dmp modiloader_stage2 behavioral2/memory/624-12-0x0000000000590000-0x00000000005AF000-memory.dmp modiloader_stage2 -
Loads dropped DLL 2 IoCs
Processes:
00e82d1749e5d636fe123145909535a8_JaffaCakes118.exepid process 624 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe 624 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
Processes:
00e82d1749e5d636fe123145909535a8_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
00e82d1749e5d636fe123145909535a8_JaffaCakes118.exepid process 624 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe 624 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe 624 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe 624 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe 624 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe 624 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe 624 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe 624 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
00e82d1749e5d636fe123145909535a8_JaffaCakes118.exepid process 624 00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dllFilesize
25KB
MD5f45fba65ddd38aae9a4b54052d642e11
SHA16926b3502e007f9cf9dc21eefb03eaca71823a7e
SHA256eeff588f8f86a4516508d56c80e84ae23509a073fbe707d6fba8f8d7a3a352c4
SHA5125cfce8c1f338dd32a59aa29ef4401c3797e27e577f4275faf665bb537d3f0174ca7e5f2eb448703a46b51f60efc2068da68761de0e708e3500792d2e6fddc3ff
-
memory/624-0-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/624-10-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/624-9-0x0000000000590000-0x00000000005AF000-memory.dmpFilesize
124KB
-
memory/624-8-0x0000000000590000-0x00000000005AF000-memory.dmpFilesize
124KB
-
memory/624-7-0x0000000000590000-0x00000000005AF000-memory.dmpFilesize
124KB
-
memory/624-11-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/624-12-0x0000000000590000-0x00000000005AF000-memory.dmpFilesize
124KB
-
memory/624-13-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB