Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 16:30

General

  • Target

    07c1c5bcb1cd1add57fc61db4acc25ab_JaffaCakes118.exe

  • Size

    646KB

  • MD5

    07c1c5bcb1cd1add57fc61db4acc25ab

  • SHA1

    b6eda21fd0d090258eb3f3f5e298990fb9fdae9e

  • SHA256

    569d8d3d1e0a999f19dfb6b0a90172734c209b5b8123e2581b837d4c612c4cdf

  • SHA512

    13eba47ff72aca6219f04c9349be0c8474c585d42cdf7e4f77b2e313b446e538a29158e8342514ecc622be03cc485ef86eb9f6e520721caefc6d91bcde99e40a

  • SSDEEP

    12288:oa4iYr9Im0kJRkCPj1Qa0woiegYGnpKDVlSlCEwsKf0:oaPYr9ImpR9/ppegYJZlSlCEwsP

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07c1c5bcb1cd1add57fc61db4acc25ab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\07c1c5bcb1cd1add57fc61db4acc25ab_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\LSSRC.EXE
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\LSSRC.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:4108
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 680
          3⤵
          • Program crash
          PID:1336
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat""
        2⤵
          PID:4520
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4160 -ip 4160
        1⤵
          PID:1132

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat

          Filesize

          212B

          MD5

          d2aeae54294fa4b356021a8b67300bc8

          SHA1

          63d838516e334191a3232bdca6af85373018a0f8

          SHA256

          f26b206555a0ad11f2ffec69061cb0db3a430ed78758cb89e1d9ad6c2c295db4

          SHA512

          cc16be86bc2761ba3e2ca033702d75815c1915951c8c57a3120acb8a6ccb0e046799307a16d270c7d53409a83bcbaf00370e18228f771e8240e5a8b200612d39

        • C:\Program Files\Common Files\microsoft shared\MSInfo\LSSRC.EXE

          Filesize

          646KB

          MD5

          07c1c5bcb1cd1add57fc61db4acc25ab

          SHA1

          b6eda21fd0d090258eb3f3f5e298990fb9fdae9e

          SHA256

          569d8d3d1e0a999f19dfb6b0a90172734c209b5b8123e2581b837d4c612c4cdf

          SHA512

          13eba47ff72aca6219f04c9349be0c8474c585d42cdf7e4f77b2e313b446e538a29158e8342514ecc622be03cc485ef86eb9f6e520721caefc6d91bcde99e40a

        • memory/3400-15-0x0000000003420000-0x0000000003423000-memory.dmp

          Filesize

          12KB

        • memory/3400-25-0x0000000003470000-0x0000000003471000-memory.dmp

          Filesize

          4KB

        • memory/3400-28-0x0000000003440000-0x0000000003441000-memory.dmp

          Filesize

          4KB

        • memory/3400-26-0x0000000003470000-0x0000000003471000-memory.dmp

          Filesize

          4KB

        • memory/3400-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

          Filesize

          4KB

        • memory/3400-23-0x0000000003470000-0x0000000003471000-memory.dmp

          Filesize

          4KB

        • memory/3400-24-0x0000000003470000-0x0000000003471000-memory.dmp

          Filesize

          4KB

        • memory/3400-14-0x0000000003430000-0x0000000003431000-memory.dmp

          Filesize

          4KB

        • memory/3400-22-0x0000000003470000-0x0000000003471000-memory.dmp

          Filesize

          4KB

        • memory/3400-13-0x0000000003430000-0x0000000003431000-memory.dmp

          Filesize

          4KB

        • memory/3400-20-0x0000000003470000-0x0000000003471000-memory.dmp

          Filesize

          4KB

        • memory/3400-32-0x0000000000770000-0x0000000000771000-memory.dmp

          Filesize

          4KB

        • memory/3400-19-0x0000000003470000-0x0000000003471000-memory.dmp

          Filesize

          4KB

        • memory/3400-18-0x0000000003470000-0x0000000003471000-memory.dmp

          Filesize

          4KB

        • memory/3400-17-0x0000000003470000-0x0000000003471000-memory.dmp

          Filesize

          4KB

        • memory/3400-16-0x0000000003520000-0x0000000003521000-memory.dmp

          Filesize

          4KB

        • memory/3400-27-0x0000000000760000-0x0000000000761000-memory.dmp

          Filesize

          4KB

        • memory/3400-29-0x0000000003520000-0x0000000003521000-memory.dmp

          Filesize

          4KB

        • memory/3400-21-0x0000000003470000-0x0000000003471000-memory.dmp

          Filesize

          4KB

        • memory/3400-12-0x0000000003420000-0x0000000003520000-memory.dmp

          Filesize

          1024KB

        • memory/3400-11-0x0000000002450000-0x0000000002451000-memory.dmp

          Filesize

          4KB

        • memory/3400-10-0x00000000024C0000-0x00000000024C1000-memory.dmp

          Filesize

          4KB

        • memory/3400-9-0x0000000002490000-0x0000000002491000-memory.dmp

          Filesize

          4KB

        • memory/3400-8-0x00000000024A0000-0x00000000024A1000-memory.dmp

          Filesize

          4KB

        • memory/3400-7-0x0000000002320000-0x0000000002321000-memory.dmp

          Filesize

          4KB

        • memory/3400-6-0x0000000002330000-0x0000000002331000-memory.dmp

          Filesize

          4KB

        • memory/3400-5-0x00000000024B0000-0x00000000024B1000-memory.dmp

          Filesize

          4KB

        • memory/3400-4-0x0000000002460000-0x0000000002461000-memory.dmp

          Filesize

          4KB

        • memory/3400-3-0x0000000002480000-0x0000000002481000-memory.dmp

          Filesize

          4KB

        • memory/3400-2-0x0000000002290000-0x00000000022E4000-memory.dmp

          Filesize

          336KB

        • memory/3400-41-0x0000000000400000-0x00000000005C0000-memory.dmp

          Filesize

          1.8MB

        • memory/3400-42-0x0000000002290000-0x00000000022E4000-memory.dmp

          Filesize

          336KB

        • memory/3400-0-0x0000000000400000-0x00000000005C0000-memory.dmp

          Filesize

          1.8MB

        • memory/4160-44-0x0000000000400000-0x00000000005C0000-memory.dmp

          Filesize

          1.8MB