Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
07c570dd70589229a0421d681977a743_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
07c570dd70589229a0421d681977a743_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
07c570dd70589229a0421d681977a743_JaffaCakes118.exe
-
Size
732KB
-
MD5
07c570dd70589229a0421d681977a743
-
SHA1
2aed17a0a83135117cf59278b5d46ba293c45380
-
SHA256
f0913c4ceef7752db1bdda7e70617512da8e6ab399f329c0c77eb01d1aa199b1
-
SHA512
0ceb158f1009d4b8e7ac022a7ad15c001abd2b73959ec513abc2851e32abd8fc5544e1b9564bcfeee7985bf078f23b9b36f61770122e78e1502798abebb17a48
-
SSDEEP
12288:JPdsCAmVw2f+LEXLjDk3aXDlkd3dTw6X6tF3Z4mxxJ4H8tcFA8WS:JPpVw2f+LEppwdU6X6tQmX+H8mH
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2092-61-0x0000000000400000-0x00000000004C0000-memory.dmp modiloader_stage2 behavioral1/memory/2852-74-0x0000000000400000-0x00000000004C0000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2652 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
rejoice101.exerejoice101.exepid process 2784 rejoice101.exe 2852 rejoice101.exe -
Loads dropped DLL 6 IoCs
Processes:
07c570dd70589229a0421d681977a743_JaffaCakes118.exerejoice101.exeWerFault.exepid process 2092 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 2092 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 2784 rejoice101.exe 2560 WerFault.exe 2560 WerFault.exe 2560 WerFault.exe -
Drops file in System32 directory 2 IoCs
Processes:
rejoice101.exedescription ioc process File opened for modification C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe File created C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
07c570dd70589229a0421d681977a743_JaffaCakes118.exerejoice101.exerejoice101.exedescription pid process target process PID 1936 set thread context of 2092 1936 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 2784 set thread context of 2852 2784 rejoice101.exe rejoice101.exe PID 2852 set thread context of 2484 2852 rejoice101.exe calc.exe -
Drops file in Program Files directory 3 IoCs
Processes:
07c570dd70589229a0421d681977a743_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat 07c570dd70589229a0421d681977a743_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2560 2852 WerFault.exe rejoice101.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
07c570dd70589229a0421d681977a743_JaffaCakes118.exe07c570dd70589229a0421d681977a743_JaffaCakes118.exerejoice101.exerejoice101.exedescription pid process target process PID 1936 wrote to memory of 2092 1936 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 1936 wrote to memory of 2092 1936 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 1936 wrote to memory of 2092 1936 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 1936 wrote to memory of 2092 1936 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 1936 wrote to memory of 2092 1936 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 1936 wrote to memory of 2092 1936 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 2092 wrote to memory of 2784 2092 07c570dd70589229a0421d681977a743_JaffaCakes118.exe rejoice101.exe PID 2092 wrote to memory of 2784 2092 07c570dd70589229a0421d681977a743_JaffaCakes118.exe rejoice101.exe PID 2092 wrote to memory of 2784 2092 07c570dd70589229a0421d681977a743_JaffaCakes118.exe rejoice101.exe PID 2092 wrote to memory of 2784 2092 07c570dd70589229a0421d681977a743_JaffaCakes118.exe rejoice101.exe PID 2784 wrote to memory of 2852 2784 rejoice101.exe rejoice101.exe PID 2784 wrote to memory of 2852 2784 rejoice101.exe rejoice101.exe PID 2784 wrote to memory of 2852 2784 rejoice101.exe rejoice101.exe PID 2784 wrote to memory of 2852 2784 rejoice101.exe rejoice101.exe PID 2784 wrote to memory of 2852 2784 rejoice101.exe rejoice101.exe PID 2784 wrote to memory of 2852 2784 rejoice101.exe rejoice101.exe PID 2092 wrote to memory of 2652 2092 07c570dd70589229a0421d681977a743_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 2652 2092 07c570dd70589229a0421d681977a743_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 2652 2092 07c570dd70589229a0421d681977a743_JaffaCakes118.exe cmd.exe PID 2092 wrote to memory of 2652 2092 07c570dd70589229a0421d681977a743_JaffaCakes118.exe cmd.exe PID 2852 wrote to memory of 2484 2852 rejoice101.exe calc.exe PID 2852 wrote to memory of 2484 2852 rejoice101.exe calc.exe PID 2852 wrote to memory of 2484 2852 rejoice101.exe calc.exe PID 2852 wrote to memory of 2484 2852 rejoice101.exe calc.exe PID 2852 wrote to memory of 2484 2852 rejoice101.exe calc.exe PID 2852 wrote to memory of 2484 2852 rejoice101.exe calc.exe PID 2852 wrote to memory of 2560 2852 rejoice101.exe WerFault.exe PID 2852 wrote to memory of 2560 2852 rejoice101.exe WerFault.exe PID 2852 wrote to memory of 2560 2852 rejoice101.exe WerFault.exe PID 2852 wrote to memory of 2560 2852 rejoice101.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07c570dd70589229a0421d681977a743_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07c570dd70589229a0421d681977a743_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\07c570dd70589229a0421d681977a743_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\07c570dd70589229a0421d681977a743_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"5⤵PID:2484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 2805⤵
- Loads dropped DLL
- Program crash
PID:2560 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat""3⤵
- Deletes itself
PID:2652
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD50dcca9fd2a7303501e9a819f0969d91c
SHA15b71dd6267b8f905aeb2260a1b9c25683e4686bc
SHA2561d139972ca03486b6379293282ebeb3aa30b6087af9f3972974f55de367a4b77
SHA51281d847c0d215d6357eec4f6e27fe515b69c37070275aab2e4c46fe03965694bd5dc5f44728f5009046ff2a02b55869c2a8b5c795bd507825e0b160b651b883ee
-
Filesize
732KB
MD507c570dd70589229a0421d681977a743
SHA12aed17a0a83135117cf59278b5d46ba293c45380
SHA256f0913c4ceef7752db1bdda7e70617512da8e6ab399f329c0c77eb01d1aa199b1
SHA5120ceb158f1009d4b8e7ac022a7ad15c001abd2b73959ec513abc2851e32abd8fc5544e1b9564bcfeee7985bf078f23b9b36f61770122e78e1502798abebb17a48