Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 15:00

General

  • Target

    07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe

  • Size

    172KB

  • MD5

    07116ec4a84de6a40d1463edd99a80ff

  • SHA1

    b2915fc118e71f39befe7faa12c3ca3c58ebd540

  • SHA256

    7c77d08316b5c698b66bff9640a79f32a1a4ef142c2965a996771baae9b7783f

  • SHA512

    590ce3a26b667427b01121833da2408a8924cb2fdf24cf170b685c9c9e28732b27b960cbf073e7ddca9c3c7162f7a8504e59c5bb7d4584eaa0459de24330d998

  • SSDEEP

    3072:z/wOS+fEzlFpyAuf6LpvesIDR/au01ZNs2YV8Jds8+Hp:T/WlFpIMIDdau01Y2YhJ

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 4 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"
      2⤵
        PID:4388
    • C:\Windows\SysWOW64\netservice.exe
      C:\Windows\SysWOW64\netservice.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\SysWOW64\svchost.exe
        "svchost.exe"
        2⤵
          PID:4392

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\netservice.exe

        Filesize

        172KB

        MD5

        07116ec4a84de6a40d1463edd99a80ff

        SHA1

        b2915fc118e71f39befe7faa12c3ca3c58ebd540

        SHA256

        7c77d08316b5c698b66bff9640a79f32a1a4ef142c2965a996771baae9b7783f

        SHA512

        590ce3a26b667427b01121833da2408a8924cb2fdf24cf170b685c9c9e28732b27b960cbf073e7ddca9c3c7162f7a8504e59c5bb7d4584eaa0459de24330d998

      • memory/376-4-0x0000000010410000-0x000000001046D000-memory.dmp

        Filesize

        372KB

      • memory/376-43-0x0000000010410000-0x000000001046D000-memory.dmp

        Filesize

        372KB

      • memory/376-64-0x0000000013140000-0x0000000013171000-memory.dmp

        Filesize

        196KB

      • memory/4392-6-0x0000000000C10000-0x0000000000C11000-memory.dmp

        Filesize

        4KB

      • memory/4392-5-0x0000000000B50000-0x0000000000B51000-memory.dmp

        Filesize

        4KB

      • memory/4392-46-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

        Filesize

        4KB

      • memory/4392-47-0x0000000010410000-0x000000001046D000-memory.dmp

        Filesize

        372KB

      • memory/4392-48-0x0000000010410000-0x000000001046D000-memory.dmp

        Filesize

        372KB

      • memory/4392-49-0x0000000010410000-0x000000001046D000-memory.dmp

        Filesize

        372KB

      • memory/4392-63-0x0000000010410000-0x000000001046D000-memory.dmp

        Filesize

        372KB

      • memory/4952-11-0x0000000013140000-0x0000000013171000-memory.dmp

        Filesize

        196KB