Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 15:00

General

  • Target

    07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe

  • Size

    172KB

  • MD5

    07116ec4a84de6a40d1463edd99a80ff

  • SHA1

    b2915fc118e71f39befe7faa12c3ca3c58ebd540

  • SHA256

    7c77d08316b5c698b66bff9640a79f32a1a4ef142c2965a996771baae9b7783f

  • SHA512

    590ce3a26b667427b01121833da2408a8924cb2fdf24cf170b685c9c9e28732b27b960cbf073e7ddca9c3c7162f7a8504e59c5bb7d4584eaa0459de24330d998

  • SSDEEP

    3072:z/wOS+fEzlFpyAuf6LpvesIDR/au01ZNs2YV8Jds8+Hp:T/WlFpIMIDdau01Y2YhJ

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      PID:1744
  • C:\Windows\SysWOW64\netservice.exe
    C:\Windows\SysWOW64\netservice.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\SysWOW64\svchost.exe
      "svchost.exe"
      2⤵
        PID:2912

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\netservice.exe

      Filesize

      172KB

      MD5

      07116ec4a84de6a40d1463edd99a80ff

      SHA1

      b2915fc118e71f39befe7faa12c3ca3c58ebd540

      SHA256

      7c77d08316b5c698b66bff9640a79f32a1a4ef142c2965a996771baae9b7783f

      SHA512

      590ce3a26b667427b01121833da2408a8924cb2fdf24cf170b685c9c9e28732b27b960cbf073e7ddca9c3c7162f7a8504e59c5bb7d4584eaa0459de24330d998

    • memory/2096-3-0x0000000010410000-0x000000001046D000-memory.dmp

      Filesize

      372KB

    • memory/2460-13-0x0000000013140000-0x0000000013171000-memory.dmp

      Filesize

      196KB

    • memory/2912-7-0x00000000000A0000-0x00000000000A1000-memory.dmp

      Filesize

      4KB

    • memory/2912-12-0x0000000000120000-0x0000000000121000-memory.dmp

      Filesize

      4KB

    • memory/2912-4-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

    • memory/2912-207-0x0000000010410000-0x000000001046D000-memory.dmp

      Filesize

      372KB