Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 20:15
Behavioral task
behavioral1
Sample
004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe
-
Size
19KB
-
MD5
004c7f3fa07354703c69c56248fd2905
-
SHA1
1601cc17511e4a65df9fef9eb04d4673cff84481
-
SHA256
77862e3ff38d5413b595bd4bddf5f2b203e1e07818fb97bf500abf3dc3e913a4
-
SHA512
f28f37488e790e07e67d5c9e5c241cb700b5abd56c6adc33e2defad079c3da4bf85dcff975e11e359b3ba707f49f3e32911ce736e571f585e77d48c259736b5e
-
SSDEEP
384:B+1dYQqhOE/0aZkEfcSJByj8ZoblMmmdMf8VXuahaD:M11qkE/0ZEUqI8upMmsM6rh
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2664-0-0x0000000010000000-0x000000001000C000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1580 2664 WerFault.exe 004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exedescription pid process target process PID 2664 wrote to memory of 1580 2664 004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe WerFault.exe PID 2664 wrote to memory of 1580 2664 004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe WerFault.exe PID 2664 wrote to memory of 1580 2664 004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe WerFault.exe PID 2664 wrote to memory of 1580 2664 004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1242⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2664-0-0x0000000010000000-0x000000001000C000-memory.dmpFilesize
48KB