Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe
-
Size
683KB
-
MD5
08521b4a7057cef60d8281f50a7bdc58
-
SHA1
2543185e7052bf667bda9886bca838c8a3374a3e
-
SHA256
d3e8b9e99e2e1c7580d0664798cac729328e8cea50aba3dd64aa8ce3a8cb451e
-
SHA512
50e86cc8f508ee91574efff05f8fd03e71e608d264da642e2cde5c700b90231b314208f0e6ffe706d59d9ddb7aa15feeb04d8e28f11ac7efb65f3eaea72182a9
-
SSDEEP
12288:nPZGLM/Ipi1jH2To8A0K0Aced4AMBKVr8pQAR+ChGtF3Z4mxxRrWPH+efOvsbVU:nPPIpaHmo8M0ARbMB44pHR+ChGtQmX0c
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2184-65-0x0000000000400000-0x000000000056F000-memory.dmp modiloader_stage2 -
Drops file in Program Files directory 1 IoCs
Processes:
08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt 08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2752 2184 WerFault.exe 08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exedescription pid process target process PID 2184 wrote to memory of 2716 2184 08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe IEXPLORE.EXE PID 2184 wrote to memory of 2716 2184 08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe IEXPLORE.EXE PID 2184 wrote to memory of 2716 2184 08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe IEXPLORE.EXE PID 2184 wrote to memory of 2716 2184 08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe IEXPLORE.EXE PID 2184 wrote to memory of 2752 2184 08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe WerFault.exe PID 2184 wrote to memory of 2752 2184 08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe WerFault.exe PID 2184 wrote to memory of 2752 2184 08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe WerFault.exe PID 2184 wrote to memory of 2752 2184 08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08521b4a7057cef60d8281f50a7bdc58_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"2⤵PID:2716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 3122⤵
- Program crash
PID:2752