Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 19:20
Behavioral task
behavioral1
Sample
090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe
-
Size
144KB
-
MD5
090bf041fbb31425823c2e199f3159b7
-
SHA1
eeb5de5e7d1ae87b8646aded4d4d21f8c52b7672
-
SHA256
6dc6a809f9a9a218145caf8831f92852c57cba114ba5f3ad0ae65c3328aec76f
-
SHA512
01a0cc21573a7b3793b628f15fd17d962a5c87a8abc373ab4c53deb2255e29c7c6e85038a34e5b6fc78f5e36f28c7a4b47297942f643e46b82b26c89450caafe
-
SSDEEP
1536:mpecxq/Q3JDFtzsMggA+qW4YjznNRt2gTVjkXW9X/Z+08yxzU/N77pBFzpB:34J/ngx+c2znN3pVgQ8Ll77pntB
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\kacir.dll modiloader_stage2 behavioral2/memory/1576-8-0x0000000010000000-0x000000001002B000-memory.dmp modiloader_stage2 -
Loads dropped DLL 2 IoCs
Processes:
090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exepid process 1576 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe 1576 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exedescription pid process target process PID 1576 set thread context of 1472 1576 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exepid process 1472 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exedescription pid process target process PID 1576 wrote to memory of 1472 1576 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe PID 1576 wrote to memory of 1472 1576 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe PID 1576 wrote to memory of 1472 1576 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe PID 1576 wrote to memory of 1472 1576 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe PID 1576 wrote to memory of 1472 1576 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe 090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe2⤵
- Suspicious use of SetWindowsHookEx
PID:1472
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD565b9130324abd8c5a802f5422fa60e88
SHA1ca6590f37882e0752544cd2e7160d0c968fb9935
SHA256b36c754d154ba74bafa17ae971010cd1b0eb979a1a766333776c05b5920eb95f
SHA5127fefe2f732bb64a956508e5b94ac88cb86ac37bfb9f7d2b21bbd9e5a924a3455afd7e2405c9d7a8531ee1517272a93ca54334c02f66a8935a9edc9a5133c1359