Analysis
-
max time kernel
151s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe
-
Size
682KB
-
MD5
0812ca75d13ff0ed86bc29edbed3cc94
-
SHA1
f05fa0e094648ad88340858e105e30b9b95699d1
-
SHA256
c3a2a615367c4146d9d18fbf212469599fec07f8ccdb38e5e8fa5036f899a6eb
-
SHA512
5cbdfcbb7e5bf6acb7f8bc245fed032a7914d68760b55f359d35a4b5fbfcb350a0a6989c0f7f6f815c2c658d79e821f38f25f5d2b620d643a94a49fc984849d1
-
SSDEEP
12288:GCak3wugOJ63b6colgOcIdA6cyhnUF3Z4mxxnsqWmXAnMECUQIZ1D6BF:Fa9ugOUr6TKsWSUQmXsPyAnMECT4gF
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4284-32-0x0000000000400000-0x0000000000523000-memory.dmp modiloader_stage2 behavioral2/memory/4228-33-0x0000000000400000-0x0000000000523000-memory.dmp modiloader_stage2 behavioral2/memory/4284-42-0x0000000000400000-0x0000000000523000-memory.dmp modiloader_stage2 behavioral2/memory/4228-45-0x0000000000400000-0x0000000000523000-memory.dmp modiloader_stage2 behavioral2/memory/4228-46-0x0000000000400000-0x0000000000523000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
winrars32.exepid process 4228 winrars32.exe -
Drops file in System32 directory 2 IoCs
Processes:
winrars32.exedescription ioc process File created C:\Windows\SysWOW64\_winrars32.exe winrars32.exe File opened for modification C:\Windows\SysWOW64\_winrars32.exe winrars32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\winrars32.exe 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\winrars32.exe 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5028 4228 WerFault.exe winrars32.exe 1612 4228 WerFault.exe winrars32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exewinrars32.exedescription pid process target process PID 4284 wrote to memory of 4228 4284 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe winrars32.exe PID 4284 wrote to memory of 4228 4284 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe winrars32.exe PID 4284 wrote to memory of 4228 4284 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe winrars32.exe PID 4228 wrote to memory of 2744 4228 winrars32.exe calc.exe PID 4228 wrote to memory of 2744 4228 winrars32.exe calc.exe PID 4228 wrote to memory of 2744 4228 winrars32.exe calc.exe PID 4228 wrote to memory of 5028 4228 winrars32.exe WerFault.exe PID 4228 wrote to memory of 5028 4228 winrars32.exe WerFault.exe PID 4228 wrote to memory of 5028 4228 winrars32.exe WerFault.exe PID 4284 wrote to memory of 1392 4284 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe cmd.exe PID 4284 wrote to memory of 1392 4284 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe cmd.exe PID 4284 wrote to memory of 1392 4284 0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0812ca75d13ff0ed86bc29edbed3cc94_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\winrars32.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\winrars32.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 6643⤵
- Program crash
PID:5028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 6643⤵
- Program crash
PID:1612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat""2⤵PID:1392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4228 -ip 42281⤵PID:2656
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:400
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5b82da111a58e6027bafaac4780c2f6cc
SHA1e56bae62ddf649ff2ce0821f56e8d90f6b86cdc8
SHA256960591688dcd69c1d915791a81dead50030848054ff1ab124219faffa4d7ea1f
SHA5128228a6018af6c6ddb4380bcc8342bd9c62e960c3697839ff0db6a4c986e757855ab994fe0934821ab8a790e27ee5866116ee1dce2e302c527bbd129dd5033f11
-
Filesize
682KB
MD50812ca75d13ff0ed86bc29edbed3cc94
SHA1f05fa0e094648ad88340858e105e30b9b95699d1
SHA256c3a2a615367c4146d9d18fbf212469599fec07f8ccdb38e5e8fa5036f899a6eb
SHA5125cbdfcbb7e5bf6acb7f8bc245fed032a7914d68760b55f359d35a4b5fbfcb350a0a6989c0f7f6f815c2c658d79e821f38f25f5d2b620d643a94a49fc984849d1