Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe
-
Size
61KB
-
MD5
0788b1fdfc19097b57df85013eb68413
-
SHA1
8bb1217f6bc496e5f1acc2edd5aa8c07eac0fe9d
-
SHA256
b2d5820b2d985b0c27b2a88545ff5b6c3fd8e3f5878c6456e20385921f0c9b79
-
SHA512
9c9335adbc973b0533688fec087f7dcc4f73afb9fb9993ec48666280e650525cacc4ea26ea748f8c8156a708b3a144f815b4a1cd5f7c690cc0e513ceaf56fe05
-
SSDEEP
1536:Om7wjsVTJ+p3JrkGLawHE/E2j+ENmYJgU9BNtVhX4hFISo:p+sVT45mn/bjnNqU9B5ZQFISo
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-3-0x0000000000400000-0x000000000042103E-memory.dmp modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\temp.exe modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
temp.exetcpip.exepid process 1652 temp.exe 2192 tcpip.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1664 cmd.exe 1664 cmd.exe -
Drops file in System32 directory 4 IoCs
Processes:
temp.exetcpip.exedescription ioc process File opened for modification C:\Windows\SysWOW64\tcpip.exe temp.exe File created C:\Windows\SysWOW64\vvvvvvvv.bat temp.exe File created C:\Windows\SysWOW64\winsystem.dll tcpip.exe File created C:\Windows\SysWOW64\tcpip.exe temp.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exetemp.exetcpip.exepid process 2028 0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe 2028 0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe 1652 temp.exe 1652 temp.exe 1652 temp.exe 1652 temp.exe 1652 temp.exe 1652 temp.exe 1652 temp.exe 1652 temp.exe 2192 tcpip.exe 2192 tcpip.exe 2192 tcpip.exe 2192 tcpip.exe 2192 tcpip.exe 2192 tcpip.exe 2192 tcpip.exe 2192 tcpip.exe 1652 temp.exe 1652 temp.exe 1652 temp.exe 1652 temp.exe 1652 temp.exe 1652 temp.exe 1652 temp.exe 2192 tcpip.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
temp.exetcpip.exedescription pid process Token: SeDebugPrivilege 1652 temp.exe Token: SeDebugPrivilege 2192 tcpip.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
0788b1fdfc19097b57df85013eb68413_JaffaCakes118.execmd.exetemp.exetcpip.exedescription pid process target process PID 2028 wrote to memory of 1664 2028 0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 1664 2028 0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 1664 2028 0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 1664 2028 0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe cmd.exe PID 1664 wrote to memory of 1652 1664 cmd.exe temp.exe PID 1664 wrote to memory of 1652 1664 cmd.exe temp.exe PID 1664 wrote to memory of 1652 1664 cmd.exe temp.exe PID 1664 wrote to memory of 1652 1664 cmd.exe temp.exe PID 1652 wrote to memory of 2272 1652 temp.exe cmd.exe PID 1652 wrote to memory of 2272 1652 temp.exe cmd.exe PID 1652 wrote to memory of 2272 1652 temp.exe cmd.exe PID 1652 wrote to memory of 2272 1652 temp.exe cmd.exe PID 2192 wrote to memory of 1128 2192 tcpip.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\temp.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\temp.exeC:\Users\Admin\AppData\Local\Temp\temp.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\vvvvvvvv.bat5⤵PID:2272
-
C:\Windows\SysWOW64\tcpip.exeC:\Windows\SysWOW64\tcpip.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD55cf0d713ad1965006e123532540fbc89
SHA1493d724745be1560c45a317b8e6bbdeb30c09459
SHA2563e1e5d9fcd47589ab77ad92a260fcbff8328aaba08ffc636591f5e88278465a9
SHA512a0e27775fc71592e0925c2d2778eda1de9c955ddebebb7c0d981ff91b78a1be98268e11322beeaed0bf9314a9dcfe9bbd4a0711c12873e3f0bc0e8aad748d7d0
-
Filesize
136B
MD562d9458eb6f619c54437f7b0fbf61b4a
SHA12e0dad7bce2fd724d66f4f448207c106615672a1
SHA2565fa2bcfd5ab256d593d88b4164d42bb80037957d1bfaf93761848cb2742d76a3
SHA5128913fbb1a26c39fb785ff12df80a289ff0783f99892b0782153e64f0551b144e8fc0c52d110b1a8fbfce0802b8b7e45b89331f77ff3f676d210e7b192d45b449