Analysis
-
max time kernel
141s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 21:51
Static task
static1
Behavioral task
behavioral1
Sample
0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe
-
Size
113KB
-
MD5
0995f49d25d193863b2a049bf0fe147b
-
SHA1
75e622a5313ae83113dea80414f3e0c1b3ef906f
-
SHA256
f84ba334ca4756281c54b604f22bfb7eda3fa2f2c098e2f880f5d7902eae685d
-
SHA512
090e3ddbd237c6ccc617efef9c14c26e541df71c01dc998855c884a6ba637f1e04c946c819f1bd4a6f28c5f707a3b4cbbed30684e565a7b0ee8c0aed1df7effc
-
SSDEEP
1536:1zPsqFtRq1DuS5zhwxeuc5jzyPgF2uwV3SNJB3upiozkWk0wQZ9dAT+P/Bcx12L:1LFt8VhCUF2uwV3SNJ4piJ0wi9dq+XF
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4972-8-0x0000000010000000-0x000000001002E000-memory.dmp modiloader_stage2 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exedescription pid process target process PID 4972 set thread context of 1936 4972 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5044 1936 WerFault.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exedescription pid process target process PID 4972 wrote to memory of 1936 4972 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe PID 4972 wrote to memory of 1936 4972 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe PID 4972 wrote to memory of 1936 4972 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe PID 4972 wrote to memory of 1936 4972 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe PID 4972 wrote to memory of 1936 4972 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe 0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\0995f49d25d193863b2a049bf0fe147b_JaffaCakes118.exe2⤵PID:1936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 2483⤵
- Program crash
PID:5044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1936 -ip 19361⤵PID:1616