Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 15:00
Static task
static1
Behavioral task
behavioral1
Sample
07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe
-
Size
172KB
-
MD5
07116ec4a84de6a40d1463edd99a80ff
-
SHA1
b2915fc118e71f39befe7faa12c3ca3c58ebd540
-
SHA256
7c77d08316b5c698b66bff9640a79f32a1a4ef142c2965a996771baae9b7783f
-
SHA512
590ce3a26b667427b01121833da2408a8924cb2fdf24cf170b685c9c9e28732b27b960cbf073e7ddca9c3c7162f7a8504e59c5bb7d4584eaa0459de24330d998
-
SSDEEP
3072:z/wOS+fEzlFpyAuf6LpvesIDR/au01ZNs2YV8Jds8+Hp:T/WlFpIMIDdau01Y2YhJ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2912-207-0x0000000010410000-0x000000001046D000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1744 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
netservice.exepid process 2096 netservice.exe -
Processes:
resource yara_rule behavioral1/memory/2096-3-0x0000000010410000-0x000000001046D000-memory.dmp upx behavioral1/memory/2912-207-0x0000000010410000-0x000000001046D000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\netservice.exe 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\netservice.exe 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exepid process 2460 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
netservice.exedescription pid process Token: SeDebugPrivilege 2096 netservice.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
netservice.exepid process 2096 netservice.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
netservice.exe07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exedescription pid process target process PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2460 wrote to memory of 1744 2460 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe cmd.exe PID 2460 wrote to memory of 1744 2460 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe cmd.exe PID 2460 wrote to memory of 1744 2460 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe cmd.exe PID 2460 wrote to memory of 1744 2460 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe cmd.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe PID 2096 wrote to memory of 2912 2096 netservice.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"2⤵
- Deletes itself
PID:1744
-
C:\Windows\SysWOW64\netservice.exeC:\Windows\SysWOW64\netservice.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\svchost.exe"svchost.exe"2⤵PID:2912
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD507116ec4a84de6a40d1463edd99a80ff
SHA1b2915fc118e71f39befe7faa12c3ca3c58ebd540
SHA2567c77d08316b5c698b66bff9640a79f32a1a4ef142c2965a996771baae9b7783f
SHA512590ce3a26b667427b01121833da2408a8924cb2fdf24cf170b685c9c9e28732b27b960cbf073e7ddca9c3c7162f7a8504e59c5bb7d4584eaa0459de24330d998