Analysis
-
max time kernel
143s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe
-
Size
682KB
-
MD5
0812ca75d13ff0ed86bc29edbed3cc94
-
SHA1
f05fa0e094648ad88340858e105e30b9b95699d1
-
SHA256
c3a2a615367c4146d9d18fbf212469599fec07f8ccdb38e5e8fa5036f899a6eb
-
SHA512
5cbdfcbb7e5bf6acb7f8bc245fed032a7914d68760b55f359d35a4b5fbfcb350a0a6989c0f7f6f815c2c658d79e821f38f25f5d2b620d643a94a49fc984849d1
-
SSDEEP
12288:GCak3wugOJ63b6colgOcIdA6cyhnUF3Z4mxxnsqWmXAnMECUQIZ1D6BF:Fa9ugOUr6TKsWSUQmXsPyAnMECT4gF
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2784-78-0x0000000000400000-0x0000000000523000-memory.dmp modiloader_stage2 behavioral1/memory/2324-84-0x0000000000400000-0x0000000000523000-memory.dmp modiloader_stage2 behavioral1/memory/2784-95-0x0000000000400000-0x0000000000523000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1356 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
winrars32.exepid process 2324 winrars32.exe -
Loads dropped DLL 5 IoCs
Processes:
0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exeWerFault.exepid process 2784 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe 2784 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe 2492 WerFault.exe 2492 WerFault.exe 2492 WerFault.exe -
Drops file in System32 directory 2 IoCs
Processes:
winrars32.exedescription ioc process File created C:\Windows\SysWOW64\_winrars32.exe winrars32.exe File opened for modification C:\Windows\SysWOW64\_winrars32.exe winrars32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winrars32.exedescription pid process target process PID 2324 set thread context of 2628 2324 winrars32.exe calc.exe -
Drops file in Program Files directory 3 IoCs
Processes:
0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\winrars32.exe 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\winrars32.exe 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2492 2324 WerFault.exe winrars32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exewinrars32.exedescription pid process target process PID 2784 wrote to memory of 2324 2784 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe winrars32.exe PID 2784 wrote to memory of 2324 2784 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe winrars32.exe PID 2784 wrote to memory of 2324 2784 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe winrars32.exe PID 2784 wrote to memory of 2324 2784 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe winrars32.exe PID 2324 wrote to memory of 2628 2324 winrars32.exe calc.exe PID 2324 wrote to memory of 2628 2324 winrars32.exe calc.exe PID 2324 wrote to memory of 2628 2324 winrars32.exe calc.exe PID 2324 wrote to memory of 2628 2324 winrars32.exe calc.exe PID 2324 wrote to memory of 2628 2324 winrars32.exe calc.exe PID 2324 wrote to memory of 2628 2324 winrars32.exe calc.exe PID 2324 wrote to memory of 2492 2324 winrars32.exe WerFault.exe PID 2324 wrote to memory of 2492 2324 winrars32.exe WerFault.exe PID 2324 wrote to memory of 2492 2324 winrars32.exe WerFault.exe PID 2324 wrote to memory of 2492 2324 winrars32.exe WerFault.exe PID 2784 wrote to memory of 1356 2784 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe cmd.exe PID 2784 wrote to memory of 1356 2784 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe cmd.exe PID 2784 wrote to memory of 1356 2784 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe cmd.exe PID 2784 wrote to memory of 1356 2784 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\winrars32.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\winrars32.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 3203⤵
- Loads dropped DLL
- Program crash
PID:2492 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat""2⤵
- Deletes itself
PID:1356
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5b82da111a58e6027bafaac4780c2f6cc
SHA1e56bae62ddf649ff2ce0821f56e8d90f6b86cdc8
SHA256960591688dcd69c1d915791a81dead50030848054ff1ab124219faffa4d7ea1f
SHA5128228a6018af6c6ddb4380bcc8342bd9c62e960c3697839ff0db6a4c986e757855ab994fe0934821ab8a790e27ee5866116ee1dce2e302c527bbd129dd5033f11
-
Filesize
682KB
MD50812ca75d13ff0ed86bc29edbed3cc94
SHA1f05fa0e094648ad88340858e105e30b9b95699d1
SHA256c3a2a615367c4146d9d18fbf212469599fec07f8ccdb38e5e8fa5036f899a6eb
SHA5125cbdfcbb7e5bf6acb7f8bc245fed032a7914d68760b55f359d35a4b5fbfcb350a0a6989c0f7f6f815c2c658d79e821f38f25f5d2b620d643a94a49fc984849d1