Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 16:00

General

  • Target

    0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe

  • Size

    61KB

  • MD5

    0788b1fdfc19097b57df85013eb68413

  • SHA1

    8bb1217f6bc496e5f1acc2edd5aa8c07eac0fe9d

  • SHA256

    b2d5820b2d985b0c27b2a88545ff5b6c3fd8e3f5878c6456e20385921f0c9b79

  • SHA512

    9c9335adbc973b0533688fec087f7dcc4f73afb9fb9993ec48666280e650525cacc4ea26ea748f8c8156a708b3a144f815b4a1cd5f7c690cc0e513ceaf56fe05

  • SSDEEP

    1536:Om7wjsVTJ+p3JrkGLawHE/E2j+ENmYJgU9BNtVhX4hFISo:p+sVT45mn/bjnNqU9B5ZQFISo

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1128
      • C:\Users\Admin\AppData\Local\Temp\0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\0788b1fdfc19097b57df85013eb68413_JaffaCakes118.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\temp.exe
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Users\Admin\AppData\Local\Temp\temp.exe
            C:\Users\Admin\AppData\Local\Temp\temp.exe
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1652
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c C:\Windows\system32\vvvvvvvv.bat
              5⤵
                PID:2272
      • C:\Windows\SysWOW64\tcpip.exe
        C:\Windows\SysWOW64\tcpip.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2192

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\temp.exe

        Filesize

        44KB

        MD5

        5cf0d713ad1965006e123532540fbc89

        SHA1

        493d724745be1560c45a317b8e6bbdeb30c09459

        SHA256

        3e1e5d9fcd47589ab77ad92a260fcbff8328aaba08ffc636591f5e88278465a9

        SHA512

        a0e27775fc71592e0925c2d2778eda1de9c955ddebebb7c0d981ff91b78a1be98268e11322beeaed0bf9314a9dcfe9bbd4a0711c12873e3f0bc0e8aad748d7d0

      • C:\Windows\SysWOW64\vvvvvvvv.bat

        Filesize

        136B

        MD5

        62d9458eb6f619c54437f7b0fbf61b4a

        SHA1

        2e0dad7bce2fd724d66f4f448207c106615672a1

        SHA256

        5fa2bcfd5ab256d593d88b4164d42bb80037957d1bfaf93761848cb2742d76a3

        SHA512

        8913fbb1a26c39fb785ff12df80a289ff0783f99892b0782153e64f0551b144e8fc0c52d110b1a8fbfce0802b8b7e45b89331f77ff3f676d210e7b192d45b449

      • memory/1128-19-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

        Filesize

        4KB

      • memory/2028-0-0x0000000000400000-0x000000000042103E-memory.dmp

        Filesize

        132KB

      • memory/2028-3-0x0000000000400000-0x000000000042103E-memory.dmp

        Filesize

        132KB