Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 18:13
Behavioral task
behavioral1
Sample
088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe
-
Size
620KB
-
MD5
088a28ef186cfcbf728372ab4446d851
-
SHA1
2eb70c41bda4e114ef59efa29e98f58628c0d1dd
-
SHA256
5768e19bfcce008cbe7f51d5ba2422fe6fdabd35dfbadcacb2b811d85bb7161d
-
SHA512
edbdc3562193b9086266e25f6803caa1b427ab0cef0443e4eee46a47c34fe12a45a9c4a4e92b556f480f16507f4d4bbdf1b677a6a8e062e61a673116812025b9
-
SSDEEP
12288:uEX/qvxvfPFJWc5Ob0vfstuIZRfYcahfhcRoS4:uEvIxvXPL5OYvkw8RYHhO6S4
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2084-0-0x0000000000400000-0x000000000049B000-memory.dmp modiloader_stage2 behavioral1/memory/2084-10-0x0000000000400000-0x000000000049B000-memory.dmp modiloader_stage2 -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ERSvc\Parameters\ServiceDll = "C:\\Windows\\system32\\syst.dll" 088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
Processes:
088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\Deleteme.bat 088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe File created C:\Windows\SysWOW64\syst.dll 088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exedescription pid process target process PID 2084 wrote to memory of 2592 2084 088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 2592 2084 088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 2592 2084 088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 2592 2084 088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\088a28ef186cfcbf728372ab4446d851_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Deleteme.bat2⤵PID:2592
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵PID:2240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD50ca6330d1472c87fa524d5f3f1a746b5
SHA11f5f8101390a63aacb1dd132ced9f1dfe40f2a18
SHA25616a3f057daa4b324b611c39c19a93c0e49cb3320efeb0968115ca47bccafce53
SHA5127280ed361094c3d53f7a9b47bcc5b2e6db916ee1a33b7971c4249dccac98d6b730fab1505eeadd1eeb812b961e5e3548ebca46484f781d58dd7fb9c5852c7552