Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 15:00
Static task
static1
Behavioral task
behavioral1
Sample
07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe
-
Size
172KB
-
MD5
07116ec4a84de6a40d1463edd99a80ff
-
SHA1
b2915fc118e71f39befe7faa12c3ca3c58ebd540
-
SHA256
7c77d08316b5c698b66bff9640a79f32a1a4ef142c2965a996771baae9b7783f
-
SHA512
590ce3a26b667427b01121833da2408a8924cb2fdf24cf170b685c9c9e28732b27b960cbf073e7ddca9c3c7162f7a8504e59c5bb7d4584eaa0459de24330d998
-
SSDEEP
3072:z/wOS+fEzlFpyAuf6LpvesIDR/au01ZNs2YV8Jds8+Hp:T/WlFpIMIDdau01Y2YhJ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4392-47-0x0000000010410000-0x000000001046D000-memory.dmp modiloader_stage2 behavioral2/memory/4392-48-0x0000000010410000-0x000000001046D000-memory.dmp modiloader_stage2 behavioral2/memory/4392-49-0x0000000010410000-0x000000001046D000-memory.dmp modiloader_stage2 behavioral2/memory/4392-63-0x0000000010410000-0x000000001046D000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
netservice.exepid process 376 netservice.exe -
Processes:
resource yara_rule behavioral2/memory/376-4-0x0000000010410000-0x000000001046D000-memory.dmp upx behavioral2/memory/376-43-0x0000000010410000-0x000000001046D000-memory.dmp upx behavioral2/memory/4392-47-0x0000000010410000-0x000000001046D000-memory.dmp upx behavioral2/memory/4392-48-0x0000000010410000-0x000000001046D000-memory.dmp upx behavioral2/memory/4392-49-0x0000000010410000-0x000000001046D000-memory.dmp upx behavioral2/memory/4392-63-0x0000000010410000-0x000000001046D000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\netservice.exe 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\netservice.exe 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exepid process 4952 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe 4952 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
netservice.exedescription pid process Token: SeDebugPrivilege 376 netservice.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
netservice.exepid process 376 netservice.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
netservice.exe07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exedescription pid process target process PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 4952 wrote to memory of 4388 4952 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe cmd.exe PID 4952 wrote to memory of 4388 4952 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe cmd.exe PID 4952 wrote to memory of 4388 4952 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe cmd.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe PID 376 wrote to memory of 4392 376 netservice.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"2⤵PID:4388
-
C:\Windows\SysWOW64\netservice.exeC:\Windows\SysWOW64\netservice.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\svchost.exe"svchost.exe"2⤵PID:4392
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD507116ec4a84de6a40d1463edd99a80ff
SHA1b2915fc118e71f39befe7faa12c3ca3c58ebd540
SHA2567c77d08316b5c698b66bff9640a79f32a1a4ef142c2965a996771baae9b7783f
SHA512590ce3a26b667427b01121833da2408a8924cb2fdf24cf170b685c9c9e28732b27b960cbf073e7ddca9c3c7162f7a8504e59c5bb7d4584eaa0459de24330d998