Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 21:51
Static task
static1
Behavioral task
behavioral1
Sample
0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe
-
Size
113KB
-
MD5
0995f49d25d193863b2a049bf0fe147b
-
SHA1
75e622a5313ae83113dea80414f3e0c1b3ef906f
-
SHA256
f84ba334ca4756281c54b604f22bfb7eda3fa2f2c098e2f880f5d7902eae685d
-
SHA512
090e3ddbd237c6ccc617efef9c14c26e541df71c01dc998855c884a6ba637f1e04c946c819f1bd4a6f28c5f707a3b4cbbed30684e565a7b0ee8c0aed1df7effc
-
SSDEEP
1536:1zPsqFtRq1DuS5zhwxeuc5jzyPgF2uwV3SNJB3upiozkWk0wQZ9dAT+P/Bcx12L:1LFt8VhCUF2uwV3SNJ4piJ0wi9dq+XF
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2888-5-0x0000000010000000-0x000000001002E000-memory.dmp modiloader_stage2 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exedescription pid process target process PID 2888 set thread context of 2940 2888 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2072 2940 WerFault.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exedescription pid process target process PID 2888 wrote to memory of 2940 2888 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe PID 2888 wrote to memory of 2940 2888 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe PID 2888 wrote to memory of 2940 2888 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe PID 2888 wrote to memory of 2940 2888 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe PID 2888 wrote to memory of 2940 2888 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe PID 2888 wrote to memory of 2940 2888 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe PID 2940 wrote to memory of 2072 2940 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe WerFault.exe PID 2940 wrote to memory of 2072 2940 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe WerFault.exe PID 2940 wrote to memory of 2072 2940 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe WerFault.exe PID 2940 wrote to memory of 2072 2940 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 923⤵
- Program crash
PID:2072