Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 23:35
Static task
static1
Behavioral task
behavioral1
Sample
01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe
-
Size
239KB
-
MD5
01327eafd5460a3d9961634f34d40368
-
SHA1
96d08cb3c890e7a89f9206c1a77021e19c23358e
-
SHA256
1fe8df87466ff32ed691bfb5730cb86259b4fd959e8397f0ea3f830291ad3355
-
SHA512
e7556a80521f8cff2e8cb65603a0d847811e6e4601478aa0d1cf94984c5f0134e1904c7c46ccff7a0f2171feaf19d553d8fd9dce7482bef143955a4396976af3
-
SSDEEP
6144:4s4caMo7UsCaVNro7xU6UmxsYjXBYRAS2gBuHs:O5TU0NreBUmHYRASd
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3820-0-0x0000000000400000-0x000000000048D200-memory.dmp modiloader_stage2 behavioral2/memory/4984-12-0x0000000000400000-0x000000000048D200-memory.dmp modiloader_stage2 behavioral2/memory/3820-14-0x0000000000400000-0x000000000048D200-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
svcoys.exepid process 4984 svcoys.exe -
Drops file in System32 directory 4 IoCs
Processes:
01327eafd5460a3d9961634f34d40368_JaffaCakes118.exesvcoys.exedescription ioc process File created C:\Windows\SysWOW64\svcoys.exe 01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svcoys.exe 01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svcoys.exe svcoys.exe File created C:\Windows\SysWOW64\Deleteme.bat 01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
01327eafd5460a3d9961634f34d40368_JaffaCakes118.exedescription pid process target process PID 3820 wrote to memory of 4984 3820 01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe svcoys.exe PID 3820 wrote to memory of 4984 3820 01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe svcoys.exe PID 3820 wrote to memory of 4984 3820 01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe svcoys.exe PID 3820 wrote to memory of 2512 3820 01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe cmd.exe PID 3820 wrote to memory of 2512 3820 01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe cmd.exe PID 3820 wrote to memory of 2512 3820 01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01327eafd5460a3d9961634f34d40368_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svcoys.exeC:\Windows\system32\svcoys.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Deleteme.batFilesize
212B
MD597ddb65f799ca26cbf066236c09d96dc
SHA142c122f02d76b09280ae25dc2d37e766fa936b18
SHA256863cfc9719779a8475fce7b193dc32ab1a31e17c75b93c5ef0d7cf5c84e93fa6
SHA512f216e74cd479ea4c32c9f678809a296d54f84dbcbd85a583b193444a5e69e38d02d0b79ba0acaa50f638ea53dac3e3bda70f5f180bd3ffe9a8b059d5e44f34d2
-
C:\Windows\SysWOW64\svcoys.exeFilesize
239KB
MD501327eafd5460a3d9961634f34d40368
SHA196d08cb3c890e7a89f9206c1a77021e19c23358e
SHA2561fe8df87466ff32ed691bfb5730cb86259b4fd959e8397f0ea3f830291ad3355
SHA512e7556a80521f8cff2e8cb65603a0d847811e6e4601478aa0d1cf94984c5f0134e1904c7c46ccff7a0f2171feaf19d553d8fd9dce7482bef143955a4396976af3
-
memory/3820-0-0x0000000000400000-0x000000000048D200-memory.dmpFilesize
564KB
-
memory/3820-1-0x00000000022D0000-0x00000000022D1000-memory.dmpFilesize
4KB
-
memory/3820-14-0x0000000000400000-0x000000000048D200-memory.dmpFilesize
564KB
-
memory/4984-7-0x0000000000400000-0x000000000048D200-memory.dmpFilesize
564KB
-
memory/4984-12-0x0000000000400000-0x000000000048D200-memory.dmpFilesize
564KB
-
memory/4984-8-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB