Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
20-06-2024 00:32
General
-
Target
01722647475d5e9cc01a105dbaa2e979_JaffaCakes118.exe
-
Size
100KB
-
MD5
01722647475d5e9cc01a105dbaa2e979
-
SHA1
5e855c25f769f4ca1eb471b724bfe9bb26442bfb
-
SHA256
558dd090d548d4fa192d65533fc151b509ea7fc852fbeb16e3c43813b22faee2
-
SHA512
649d999fa4d57d8929bce9c8fe301979b671f0951aef0d22355daba823b6e9df37c49d6aaa2d92190e34d6c096316ed4d7424562cb68974ce99ed2b5a8049753
-
SSDEEP
1536:XVtksz1n+yGk3oYyIoP6moZkD+ucrwWkGJq0L11t35EMlII6L/PzqI1QKJRoA:DzbG4D5oPYZkOkne11fh56L/PZJ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\01722647475d5e9cc01a105dbaa2e979_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01722647475d5e9cc01a105dbaa2e979_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c DelMe.bat2⤵
- Deletes itself
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k krnlsrvc1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k krnlsrvc1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DelMe.batFilesize
212B
MD58a646850002bfdbd177d3b955a38492c
SHA1c664d157c7e0b549dce96d981d0ede7457d14618
SHA25617902d4338801ce526b1b29198ed8a6661e07701216c4c1f2e5bd5e2b82069c6
SHA5128f46ed69d3c6bf82ead84948b499ef9b212c3f45c5b3bf29116bde57306e2abe1853a83bd5fec3ecc0803875d0b5b0f30869abc5571df0f18ee2a1385ef361c0
-
\??\c:\windows\SysWOW64\jksing.dllFilesize
89KB
MD5c45976cd1f5399142dbdd0efc41f5488
SHA1932f68be5c97cb95978b29145077c4b0fbd340ab
SHA2562cc40038aaf08362a07820653496ac8433956448148b7cdd3939be180ddfa815
SHA512ca8717c1f6b950f810b5c99138fd597346925b755b12277810d7988aeba345a4da2aaecdc7654e46e21365569af59c7c07d23f2c98ed377ea08b99eaff273255
-
memory/1892-13-0x0000000000430000-0x0000000000495000-memory.dmpFilesize
404KB
-
memory/1892-15-0x0000000000430000-0x0000000000495000-memory.dmpFilesize
404KB
-
memory/3044-0-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3044-12-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB