Analysis
-
max time kernel
139s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 21:23
Behavioral task
behavioral1
Sample
008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe
-
Size
694KB
-
MD5
008ffcd20d2f024ec73058b2e7c11845
-
SHA1
58edd707567361a9f4976333ab79217be2e7fddf
-
SHA256
d0410fd3d546c16e89ad8216993a0a5a8a58da2f7cf909125f5109f649b81619
-
SHA512
c47d2a23cb2350f5b5d4c405da21e2032720278ddf197f2cd3c2420b137cc3869b6881aa964c200056a1df88fe8a7e73bda72b4a5740ed4060ca97af90d01060
-
SSDEEP
12288:9nHtGgozqi5paO0lp9USQVUSyrkA4HZ6J+v5NdTgxWaSTA0:hN2eas1USImaHIwPuIaST7
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\conim.exe modiloader_stage2 behavioral2/memory/3736-6-0x0000000000400000-0x00000000004B4000-memory.dmp modiloader_stage2 behavioral2/memory/4208-8-0x0000000000400000-0x00000000004B4000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
conim.exepid process 3736 conim.exe -
Drops file in System32 directory 4 IoCs
Processes:
conim.exe008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\conim.exe conim.exe File created C:\Windows\SysWOW64\DaverDel.bat 008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe File created C:\Windows\SysWOW64\conim.exe 008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\conim.exe 008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exedescription pid process target process PID 4208 wrote to memory of 3736 4208 008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe conim.exe PID 4208 wrote to memory of 3736 4208 008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe conim.exe PID 4208 wrote to memory of 3736 4208 008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe conim.exe PID 4208 wrote to memory of 4904 4208 008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe cmd.exe PID 4208 wrote to memory of 4904 4208 008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe cmd.exe PID 4208 wrote to memory of 4904 4208 008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\conim.exeC:\Windows\system32\conim.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\DaverDel.bat2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3684,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\DaverDel.batFilesize
212B
MD5e2182b9e278e633a1d7da8d0d95965e9
SHA194bc5bbf7f427ff0f0882cc7d8a4724edf86f65b
SHA256e27df7423e8d71555c1ceffe646d2358b634bc2d220398a46bd254964dcc60cb
SHA512033371656ed018e5930ea1d7134d9af4ff461a74aa26a54a3230c253fc28bced40ae1675956bed8d0df378bb32bf7f24f1f4f9ecc5cee43fdae3d0f2ca9fff00
-
C:\Windows\SysWOW64\conim.exeFilesize
694KB
MD5008ffcd20d2f024ec73058b2e7c11845
SHA158edd707567361a9f4976333ab79217be2e7fddf
SHA256d0410fd3d546c16e89ad8216993a0a5a8a58da2f7cf909125f5109f649b81619
SHA512c47d2a23cb2350f5b5d4c405da21e2032720278ddf197f2cd3c2420b137cc3869b6881aa964c200056a1df88fe8a7e73bda72b4a5740ed4060ca97af90d01060
-
memory/3736-6-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/4208-8-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB