Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 21:27
Static task
static1
Behavioral task
behavioral1
Sample
0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe
-
Size
370KB
-
MD5
0971d66032eea65229912a66a407f0f4
-
SHA1
8596505166e950c404b8ee17dd2a75a4174a1d6f
-
SHA256
4f2fa7465b436705948981e5d7857513c41246750ac01bc06d5298193f328f71
-
SHA512
a3a2c497448679aeab45a7b3c1599c399c92a5d00f3ab866206b5dc1e7542406824fd8b444d0fa94eb659e9898879e220b4f6625f046d72678fcb7746c1a0cfc
-
SSDEEP
6144:SneX48vxqhd/fXttTk9f17rvQpDFyUF24z5IyGUksTBvSNlt0:SeI8v0hdHXXkl17424zvGFsTt6K
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2168-12-0x0000000000400000-0x00000000004B7400-memory.dmp modiloader_stage2 behavioral1/memory/2168-18-0x0000000000400000-0x00000000004B7400-memory.dmp modiloader_stage2 -
Drops file in Drivers directory 1 IoCs
Processes:
0971d66032eea65229912a66a407f0f4_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\drivers\sysdt.sys 0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
tempdir.exepid process 2168 tempdir.exe -
Loads dropped DLL 2 IoCs
Processes:
0971d66032eea65229912a66a407f0f4_JaffaCakes118.exepid process 1696 0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe 1696 0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
Processes:
tempdir.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt tempdir.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0971d66032eea65229912a66a407f0f4_JaffaCakes118.exetempdir.exedescription pid process target process PID 1696 wrote to memory of 2168 1696 0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe tempdir.exe PID 1696 wrote to memory of 2168 1696 0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe tempdir.exe PID 1696 wrote to memory of 2168 1696 0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe tempdir.exe PID 1696 wrote to memory of 2168 1696 0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe tempdir.exe PID 2168 wrote to memory of 2920 2168 tempdir.exe IEXPLORE.EXE PID 2168 wrote to memory of 2920 2168 tempdir.exe IEXPLORE.EXE PID 2168 wrote to memory of 2920 2168 tempdir.exe IEXPLORE.EXE PID 2168 wrote to memory of 2920 2168 tempdir.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\tempdir.exeC:\Users\Admin\AppData\Local\Temp\tempdir.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:2920
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
362KB
MD5e93b9cb0d9258820eb108889327d1284
SHA15384059f00d378aabf9bd5082d100f75ca442cbf
SHA256450ecac14e98b43be31d8672d0f48bf3ebc2dfd3a7edfc8bb80629bf3b1139e5
SHA5128677067371868f3ba509d1322748c78baa0207b3918c7513dc11ec39987cecc1f564ed79e8fd07559a378c847ac3742ef66e89c042f97f25338b63d20210c6a8