Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 02:35
Static task
static1
Behavioral task
behavioral1
Sample
0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe
-
Size
24KB
-
MD5
0215392ce413e1c32fb36ccae96724b2
-
SHA1
ee9eba85e95657336a2fdbdb03a5b6624e06c496
-
SHA256
ae946b117f925e3490e18c9a5dc9afaa04a1ebe99457dda4daf2ed2e87f89cfa
-
SHA512
38893d0ac4093c03438dd31395355c89de92c152674fcc36d1b7feab14052dfcd9b38f223377adb4c738a1e1ae94017e35167b870470f3c651b10b9fdf440b06
-
SSDEEP
384:CKj7Wmqzu/RQ+mLyvXYu5+z0Y3w9AwzguPE+o6n6t+aFytTw6FHN:Djh+upC2/kzw9AwzTEn6n6tnm06Ft
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1700-13-0x0000000000400000-0x0000000000423000-memory.dmp modiloader_stage2 behavioral1/memory/2236-12-0x0000000000400000-0x0000000000423000-memory.dmp modiloader_stage2 behavioral1/memory/1700-6-0x0000000000400000-0x0000000000423000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
winwl.exepid process 2236 winwl.exe -
Drops file in Windows directory 5 IoCs
Processes:
0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exewinwl.exedescription ioc process File opened for modification C:\Windows\winwl.exe 0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe File created C:\Windows\kulionwl.dll winwl.exe File created C:\Windows\winwl.exe winwl.exe File created C:\Windows\kulionwl.dll 0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe File created C:\Windows\winwl.exe 0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exedescription pid process target process PID 1700 wrote to memory of 2236 1700 0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe winwl.exe PID 1700 wrote to memory of 2236 1700 0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe winwl.exe PID 1700 wrote to memory of 2236 1700 0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe winwl.exe PID 1700 wrote to memory of 2236 1700 0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe winwl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0215392ce413e1c32fb36ccae96724b2_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\winwl.exeC:\Windows\winwl.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\kulionwl.dllFilesize
27KB
MD575b2239d571212f7f6b3067b18d3cd36
SHA13e2ec96266892f58f22d2ce4f7d757e66aa5b038
SHA256ffb59098553c2b280965e34857958798ea4efa362229bb37e9fe146d787c24f4
SHA5128a3a0f59d19209b2de1eed8e58a38b88017e8ff581b7cdf88006a86edd88f6b8fcb7cd7e906d8ab7f60cadc19c72bc43182b53a7c2b3a5d2ff59267cd22928be
-
C:\Windows\winwl.exeFilesize
24KB
MD50215392ce413e1c32fb36ccae96724b2
SHA1ee9eba85e95657336a2fdbdb03a5b6624e06c496
SHA256ae946b117f925e3490e18c9a5dc9afaa04a1ebe99457dda4daf2ed2e87f89cfa
SHA51238893d0ac4093c03438dd31395355c89de92c152674fcc36d1b7feab14052dfcd9b38f223377adb4c738a1e1ae94017e35167b870470f3c651b10b9fdf440b06
-
memory/1700-8-0x00000000003C0000-0x00000000003E3000-memory.dmpFilesize
140KB
-
memory/1700-13-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1700-7-0x00000000003C0000-0x00000000003E3000-memory.dmpFilesize
140KB
-
memory/1700-6-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2236-12-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB