Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exe
-
Size
413KB
-
MD5
09ec276b9abfb0a90cea10347b6e8cc1
-
SHA1
2b341df165dc18f3775f59a0d20da18613e40fd9
-
SHA256
3a092a9b8db31ab68798137f020a043bc4b26181f9156f04fb4677a2b13acd51
-
SHA512
332e90768b63185525a5a33cc4d25952041f65bb234ea6088e71e6bc0277ba63e913206745a61f8098c4f50770c0ed99c082524016c7343037c4fbc07972754f
-
SSDEEP
6144:t+DbBikiaHIOujx5HFMvdAKwrm8A420WyLrvUSWcC2mtr/p1jTB8u0v8:tabEkia2N5HGEA50WyLBWzBjTe9v8
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/288-3-0x0000000000400000-0x00000000004BE03E-memory.dmp modiloader_stage2 -
Drops file in Program Files directory 1 IoCs
Processes:
09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt 09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exedescription pid process target process PID 288 wrote to memory of 2500 288 09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exe IEXPLORE.EXE PID 288 wrote to memory of 2500 288 09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exe IEXPLORE.EXE PID 288 wrote to memory of 2500 288 09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exe IEXPLORE.EXE PID 288 wrote to memory of 2500 288 09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09ec276b9abfb0a90cea10347b6e8cc1_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:288 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"2⤵PID:2500