Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 22:08
Static task
static1
Behavioral task
behavioral1
Sample
09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe
-
Size
685KB
-
MD5
09b08ef9cc21337e994d034e0d89fcb9
-
SHA1
e0bdb668fc9641aabf48084b09b8f8e88cef1043
-
SHA256
44f7f0b048b37ccde8b257eeca4156e96aee9e3e8b43ad0a23de8215c46459e2
-
SHA512
b8f68263167f57ba33844618f8ef754b3c81a5cc8c57b3a3c64e69b474714ac42b07e8dda0e66eaa23a21210943df27d266191d0acf00bd3dce82ec9619e1b92
-
SSDEEP
12288:iJ9KSBADXsTZmUwpnLLYjFVN2e0jZACuxEMbSW9rWNgvEmzpmzWMR:8A7im9/AFj70SHx7WW9XvEksR
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2012-34-0x0000000000400000-0x00000000007BF000-memory.dmp modiloader_stage2 behavioral1/memory/2764-36-0x0000000000400000-0x00000000007BF000-memory.dmp modiloader_stage2 behavioral1/memory/2012-37-0x0000000000400000-0x00000000007BF000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 2764 System.exe -
Loads dropped DLL 5 IoCs
Processes:
09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exeWerFault.exepid process 2012 09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe 2012 09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe 2592 WerFault.exe 2592 WerFault.exe 2592 WerFault.exe -
Drops file in Program Files directory 2 IoCs
Processes:
09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe 09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe 09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2592 2764 WerFault.exe System.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exeSystem.exedescription pid process target process PID 2012 wrote to memory of 2764 2012 09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe System.exe PID 2012 wrote to memory of 2764 2012 09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe System.exe PID 2012 wrote to memory of 2764 2012 09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe System.exe PID 2012 wrote to memory of 2764 2012 09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe System.exe PID 2764 wrote to memory of 2592 2764 System.exe WerFault.exe PID 2764 wrote to memory of 2592 2764 System.exe WerFault.exe PID 2764 wrote to memory of 2592 2764 System.exe WerFault.exe PID 2764 wrote to memory of 2592 2764 System.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 3043⤵
- Loads dropped DLL
- Program crash
PID:2592
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
685KB
MD509b08ef9cc21337e994d034e0d89fcb9
SHA1e0bdb668fc9641aabf48084b09b8f8e88cef1043
SHA25644f7f0b048b37ccde8b257eeca4156e96aee9e3e8b43ad0a23de8215c46459e2
SHA512b8f68263167f57ba33844618f8ef754b3c81a5cc8c57b3a3c64e69b474714ac42b07e8dda0e66eaa23a21210943df27d266191d0acf00bd3dce82ec9619e1b92