Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe
-
Size
307KB
-
MD5
0804a8a96641c1fdf34a7bace3e631df
-
SHA1
b186a9d3fec5a3ce2ff60ae77692baf86d1eecb6
-
SHA256
6a190bcafe9cc319f49062f37afb7ab5cd0abd61b95a7cd027c61edb1c16ba09
-
SHA512
f1f97cfc503f0b35d8ab1e069cc948e21536baa701babb319045ad84bec14060e2854477e31fb6dc9146de0ff9ad440822b5f3835acafcd1b4470a5be5c49e6f
-
SSDEEP
6144:160drKkUVCjsAJ6QrA+wK5e87AHZ+Z1/uGokN/Fdb65a:Xd9cjRQrhwI73uGhzu5
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1776-18-0x0000000000400000-0x0000000000553210-memory.dmp modiloader_stage2 behavioral1/memory/2424-20-0x0000000000400000-0x0000000000553210-memory.dmp modiloader_stage2 behavioral1/memory/1776-28-0x0000000000400000-0x0000000000553210-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2668 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
explorer.batpid process 2424 explorer.bat -
Loads dropped DLL 4 IoCs
Processes:
0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exeWerFault.exepid process 1776 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe 1776 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe 3036 WerFault.exe 3036 WerFault.exe -
Drops file in Program Files directory 3 IoCs
Processes:
0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exedescription ioc process File created C:\Program Files\explorer.bat 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe File opened for modification C:\Program Files\explorer.bat 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe File created C:\Program Files\SxDel.bat 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3036 2424 WerFault.exe explorer.bat -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exeexplorer.batdescription pid process target process PID 1776 wrote to memory of 2424 1776 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe explorer.bat PID 1776 wrote to memory of 2424 1776 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe explorer.bat PID 1776 wrote to memory of 2424 1776 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe explorer.bat PID 1776 wrote to memory of 2424 1776 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe explorer.bat PID 2424 wrote to memory of 3036 2424 explorer.bat WerFault.exe PID 2424 wrote to memory of 3036 2424 explorer.bat WerFault.exe PID 2424 wrote to memory of 3036 2424 explorer.bat WerFault.exe PID 2424 wrote to memory of 3036 2424 explorer.bat WerFault.exe PID 1776 wrote to memory of 2668 1776 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe cmd.exe PID 1776 wrote to memory of 2668 1776 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe cmd.exe PID 1776 wrote to memory of 2668 1776 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe cmd.exe PID 1776 wrote to memory of 2668 1776 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Program Files\explorer.bat"C:\Program Files\explorer.bat"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 2843⤵
- Loads dropped DLL
- Program crash
PID:3036 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\SxDel.bat""2⤵
- Deletes itself
PID:2668
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5cffbdc82ea4f571f35ca41fa2bfa1ff9
SHA132c6529c26d0843009c1e58f9cea3c02acf39daf
SHA2568676c9c15ec3f311a20f08ea45d4b1b8e9cd8c8207ed881fbb7669a63caf1bb7
SHA51251b4b96d504f03797efd6dc5d1b756f16563fc414d483bc3900f7c8d59abe2e0c307aa888d85d23179dc59fa9720dff23dafe7870de4b096b953ce2142eb9702
-
Filesize
307KB
MD50804a8a96641c1fdf34a7bace3e631df
SHA1b186a9d3fec5a3ce2ff60ae77692baf86d1eecb6
SHA2566a190bcafe9cc319f49062f37afb7ab5cd0abd61b95a7cd027c61edb1c16ba09
SHA512f1f97cfc503f0b35d8ab1e069cc948e21536baa701babb319045ad84bec14060e2854477e31fb6dc9146de0ff9ad440822b5f3835acafcd1b4470a5be5c49e6f